There is a bug in Internet Explorer 4.x (patched) which allows "window spoofing".
The problem is: if you add '%01someURL' after an 'about:somecode' URL, IE thinks that the document is loaded from the domain of 'someURL'.
This circumvents "Cross-frame security" and opens several security holes.

After visiting a hostile page (or clicking a hostile link) a window is opened and its location is a trusted site. However, the content of the window is not that of the original site, but it is supplied by the owner of the page. So, the user is mislead he is browising a trusted site, while he is browsing a hostile page and may provide sensitive information, such as credit card number.
The bug may be exploited using HTML mail message. The exploit uses Javascript.
Workaround: Disable Javascript.
Written by Georgi Guninski.