Came accross a change coming in the next version of Internet Explorer via ASP.NET Developer Center on MSDN. Any URLs containing a user id and password will be disabled. For example, if I have a secure site and I want to avoid the logon dialog, I could use a URL like the following: http://myusername:mypassword@www.supersecretplace.com/.

I don't belive that using a URL like this is actually in the HTTP spec, but I don't think I've ever used this anyway that I can think of. However, it is a change worth noting. Not a surprise that the change comes from people (spammers, they're not really people are they?) leveraging this to send users elsewhere. Take a look at the article here and the KB article here describing this change in IE.