Update: Tyler Reguly told me that you actually can get this working in IE8.0 but it needs to be part of a path. So I updated the example below so that it works in both.
One of the things Josh and I talked about during our preso was a way to get people to disclose their usernames and their machine names using a simple URL. Well, it turns out that in IE7.0 if you cut and paste things with a %…% in them it translates to a OS variable. So if you include something like %computername% or %appdata% or the like you’ll end up with machine names and full paths to the user’s home directory. That can be super helpful for de-cloaking. Please note this only works in Internet Explorer. Here’s an example:
If you cut and paste that it will be translated on the fly before it is sent. So how you’d use this is either just like you see above - a URL that must be cut and pasted to be used or something like a broken link that is clearly easily re-constructed just by changing one letter or removing a space or something. I never did find a way to automatically get this to fire. I tried in CSS, images, iframes, frames, word docs, PDFs, and on and on. If someone figures out a way to make it automatically fire without user interaction that would make this a lot more useful. Either way, it seemed worthy of a post.