The long awaited patch for ie is now available that will break the standard http://user:pass@domain functionality but will prevent a lot of the phishing attacks that have gone on. To check whether you are still vulnerable or not, visit my initial page on the phishing problem. This update is actually one of three vulnerabilities that has been patched in the cumaltive update.
There are more details in the February 2004 security bulletin
