This seems to be a serious flaw in IE, discovered by a graphic designer, and it's very simple to implement.
Check this page to have a demo on the effect in IE. So scary !
So by typing http://www.microsoft.com @zapthedingbat.com/security/ex01/vun2.htm Internet Explorer show only the first part before the @ and display in the address bar http://www.microsoft.com .
Why? Note the special non printing character included before the @.
Imagine a spammer who want to redirect some gullible users to a fictuous bank, something like asking account details !
Easy, the scam can go very far as duplicating website. I think MSFT should release a very quick answer to this. Remind me the 'old' $Data flaw in IIS 4 few years ago.