Since there seems to be a lot of concerns wrt to security,
I am submitting the attached patch.

The reason for this patch is to limit the search for dlls loaded at
runtime to the win32 system directory and/or the emacs application
directory.
In the current state, dlls can be picked up in any directory in the path.
Some one could fake one of these dlls (xpm, png, etc.) and use it for
mean reasons.
It is not bullet proof, but it levels up security and
many other projects have applied such a restriction.

Best regards,

Fabrice