Michael Howard points out that the new default behavior for handling user information in HTTP or HTTPS URLs can be disabled and this is covered in Microsoft's KB 834489.
Normally, I would post the necessary registry fix but I am not sure it is a wise idea to disable the new default behaviour though I also think that Microsoft's solution to the URL spoofing vulnerability was an overkill in the first place.
Meanwhile it appears that the MS04-004 fix also broke applications relying on MSXML so Microsoft has issued a fix via KB 832414 to resolve this, except that there is a separate fix for Microsoft XML 3.0 Service Pack 2, Microsoft XML 3.0 Service Pack 3 and Microsoft XML 3.0 Service Pack 4 and it would have helped if Microsoft explained this in more detail.