Thanks Tai and RaINE for the heads up.
IE allows urls containing the javascript protocol in the history list. Code injected in the url will operate in the same zone/domain as the last url viewed. The javascript url can be set to trigger when a user presses the backbutton.
The normal behaviour when a page fails to load is to press the backbutton. The error page shown by IE is operating in the local computer zone (res://C:WINNTSystem32shdoclc.dll/dnserror.htm# on Win2000). Thus, we can execute code and read local files.
This has been tested in Windows 2000/XP environment with Internet Explorer 6.0 fully patched. There is no patch available for this yet.
News source: BugTraq Archive
View: 
