You know, the IE Spoofing "bug" is getting a lot of press today. You know, I find it interesting that IE7 has been in beta for a really long time, and they pick 4 days after it's released to bring it to light. They had more than enough time to report it to Microsoft before RTM... it's not like they don't have an open line of communication directly with the IE team. Could it be that Secunia had something to gain from keeping it quiet until after RTM? Sure seems like it from here in the cheap seats.
BUT, it's also important to note that this issue does not occur on Windows Vista. I'm running RC2 (without UAC, as you can see) and the "flaw" doesn't happen. A screenshot from their test page is below.
So, if you're on XPSP2 and use pop-ups, make sure you right-click on pages and select "Properties" to make sure you're where you're supposed to be.