When a non-IE browser issues a request for these non-recognised URLs,
httpd simply doesn't return any data. However, Apache returns a
'Forbidden/you don't have permission to access <URL> on this server',
indicating that Apache is actually trying to parse the
Microsoft-specific local-filesystem URL cocatenated with the directory
URL, finding nothing that matches, and deciding it's forbidden.
As something of a worst case, this is illustrated in my IE4 browser
exploit pages, where a meta-http reload of an IE4-specific URL may do
bad things to your browser:
For httpd 1.5.2a (until we upgrade to Apache):
Our Apache 1.2.5 test server, where the pages perform rather worse
when viewed with any remaining non-IE browsers:
Other than looking for an httpd home to redirect to that will serve
these pages for nostalgia reasons, this seems to raise a standards
issue - should webservers (and proxy caches, for that matter) know to
parse and deal with (in this case, ignore) requests for single-vendor
non-standard local URLs taking part of the namespace that no-one else
will then want to use?
Looks like Microsoft has res:, mk:, [a-z]: and presumably a number
of others sewn up.