Thanks Tai and RaINE for the heads up.
The normal behaviour when a page fails to load is to press the backbutton. The error page shown by IE is operating in the local computer zone (res://C:WINNTSystem32shdoclc.dll/dnserror.htm# on Win2000). Thus, we can execute code and read local files.
This has been tested in Windows 2000/XP environment with Internet Explorer 6.0 fully patched. There is no patch available for this yet.
News source: BugTraq Archive