I certainly hope you aren't planning on writing more malware, but...
Most browser hijackers are implemented as browser helper objects (BHOs). A general run-down on what they are and how to write one can be found at:
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp
I'm sure there are lots of other ways to hook your code into IE, but that's the most common way.
Now, as far as getting it installed on a user's computer, that's just a matter of finding a software exploit somewhere. Probably the best real-world example was the Java bytcode verifier bug in Microsoft's Java VM. That particular exploit was, well...gang raped by spyware authors. MS finally patched their VM, but it's a far better thing to remove it entirely and use Sun's instead. MS is no longer allowed to distribute a Java VM anyway due to eariler lawsuits by Sun.
But I digress. Probably the biggest, most persistant method of getting spyware installed is through exploiting security zones. In most browsers, you have a system of zones that you classify web content by. For example, IE uses: Internet, Local Intranet, Trusted Sites, and Restricted Sites. Each one has different "permissions" for code execution. Nearly all browsers implement something similar to this - I believe it was Netscape that actually started this madness. It looks good on paper, but it gave birth to a whole class of exploits called "cross-zone scripting exploits". I haven't done enough reading to cite specific examples or how-tos, but the general idea is this: by using various tricks with HTML, vbscript, javascript, etc., you can sometimes convince the browser that a particular web page, or portions of it, belong in a different (and more permissive) zone.
Cross-zone scripting exploits have been especially bad in IE because in addition to the four zones shown on the security tab of your internet settings, there's a 5th zone, the "local machine" zone, which is basically invisble to users, and which has virtually unrestrained access to the machine. By crossing into the local machine zone, you could get the browser to execute just about anything you wanted to. For years, Microsoft has been discreetly warning people that the zone exists, and that they need to lock it down tighter, but they haven't exactly advertised the problem to end users. Finally, they have at least tried to fix the problem as of XPSP2:
hxxp://msdn.microsoft.com/security/productinfo/xpsp2/securebrowsing/locallockdown.aspx
However there are already some known exploits that manage to circumvent the new security:
hxxp://secunia.com/advisories/12889/
Anyway, this should give you a few leads for google. I'm sure there are lots of other methods employed, but AFAIK, those are the big ones.
Edit: Ok, I'm not sure why, but all of a sudden Exetools isn't honoring line breaks for me. Sorry. It works in preview, but then it strips the blank lines out of the post