Not only did this IE patch fix a security problem, they also disabled URLs that contain a username and password: http://username:password@server/resource.ext.