TechWeb just posted an article on DNS cache poisoning continuing. The Microsoft KB article can be found here. The problem: cache protection (in Windows 2000 SP3 and above) only applies when the DNS server is a master. If it is forwarding all requests, then the data is assumed to be filtered by the upstream DNS server. If that server isn't filtering properly, then the cache could still be poisoned. This is often the case when Windows DNS is set to forward requests to an older version of BIND. The Internet Storm Center (link) has a pretty good description of the several scenarios, and how you need to protect your organization depending on your scenario.
Lesson learned: Look at the whole chain to understand how you're protected.