This new Internet Explorer Vulnerability adds a new dimension to the old http://www.fakehost.com@realhost.com url trick; by including a 0x01 character after the "@" character, the real hostname remains hidden!

Meaning that Internet Explorer users can no longer trust any url they see in their Address Bar to be the actual url of the current page, unless they typed it themselves. [via Simon Willison]

Update: Mozilla is also partly affected by this vulnerability, in that it doesn't show the real hostname in the status bar (address bar is ok, however). See MozillaZine.