http://www.microsoft.com/technet/security/advisory/925568.mspx discusses a vulnerability in the VML parsing dll which can result in an unpleasant experience.
http://www.microsoft.com/technet/isa/2006/how-to-block-vml.mspx discusses a methodology by which you can use ISA 2004 or ISA 2006 to block HTTP-based attacks targeted against this vulnerability.
Finally, http://isatools.org/block_vml.vbs automates the process of creating the proper HTTP Filter settings for you.
Tim's report was accurate (see my comments). I've updated the script to version 1.2 and reposted it. Many thanx to Tim for his discovery.
Jim Harrison (ISA Sustained Engineering)
Hello! Very interesting. Thank you.