This was on BetaNews today:
"Yet another potentially dangerous Internet Explorer 5 security hole has appeared. If a '%01' is added before a URL, the browser interprets the website to be part of a local intranet, thus disabling Internet Security Zones. The problem is in the Microsoft Scriptlet Component, and could easily allow malicious webmasters to read local files and send them to another domain. Another variation of this bug allows websites to spoof Trusted Sites, potentially tricking visitors into giving up private information. Microsoft has stated a patch will be released in the near future and users can disable scripting pending the fix."