I recommend everyone visit Windows Update and install this patch.  Here is the security bulletin containing technical information about the patch.  I will summarize it for you.

This patch fixes a cross domain vulnerability that could allow LMZ script execution (this is the Back button JScript vulnerability).  This patch fixes the DHTML drag-drop file download vulnerability (save arbitrary code to your machine, but not execute it).  This patch fixes an url parsing bug that could be exploited to show an url in the address bar that is different from where you actually are.

And one last important change:

This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:

http(s)://username:password@server/resource.ext

For more information about this change, please see Microsoft Knowledge Base article 834489.