The spoof test that was posted in the last couple of days - the status bar had a square box at the end of the fake URL (but nothing after it). When the link was clicked, the real link showed up in the address bar (with the %00 and everything).
A BIG thanks to CETIN who brought my attention to this Microsoft article - glad you are still around Cetin !! We MISS you !!
Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites
SUMMARY
When you point to a hyperlink in Internet Explorer, Outlook Express, or Outlook the address of the Web site typically appears in the Status bar. After you click a link that opens in Internet Explorer, the address of the Web site typically appears in the Internet Explorer Address bar and the title of the Web page typically appears in the Title bar.
However, a malicious user could create a link to a deceptive (spoofed) Web site that displays the address, or URL, to a legitimate Web site in the Status bar, Address bar, and Title bar . This article describes steps that you can take to help mitigate this issue and to help you identify a deceptive (spoofed) Web site or URL.
Read the article here: http://support.microsoft.com/?kbid=833786&fr=1
Cetin also mentioned:
I can reproduce myself this. For example, hover the mouse to this simple ZDNet home page (open the attached spoof.htm file in IE).
The URL shows correctly either visually and also in IE address bar. But, if you look in the source code, the crafted URL has a the %00 tring at the end of it.
This is an ugly thing because, usually one checks the visual URL and the hovered URL and they should be identical. However, in this exploit, the %00 is invisible thus being a potential exploit either by sneaky emails or by accidentally clicking a crafted URL at a malicious web site.
Regards,
Cetin

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic