Similar to older bugs, this one involves a URL that begins with a trusted site name, then some funny characters, then the real site name. The real site is then handled under the trusted site’s permissions. It does require the real site’s DNS to accept wildcards and invalid “Host:” header values.
Set the security level for all zones to “High” in Internet Explorer. This will impair functionality on many web sites.
Don’t follow links from untrusted sources, but input URLs manually in the address bar.
Use another browser.
Don’t think I could say it much better myself. Either disable all the fancy stuff that people use IE for (leaving you with a browser that supports even fewer features than IE-alternatives), or switch to a different browser.