Directory traversal vulnerability in Microsoft Internet Explorer allows remote attackers to read arbitrary files via directory traversal sequences in a URI with a certain scheme, possibly related to "..%5C" (encoded backslash) sequences.
http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/#comment-35888