Fooles Troupe's wiki article at "Cross-site scripting" may be helpful. Similar results are found searching for "XSS."

Internet Explorer has included an XSS filter since version 4. This is nothing new.

It appears that IE9 has incorporated a "more aggressive" filter, that gives many more warnings. It is also possible that the filter hasn't changed all that much, but that a recent update has changed some default settings in IE. The IE9 filter appears to be essentially the same as was first introduced in IE8 Beta 2, although confirmation of incremental changes would be more work than I'm inclined to do immediately.

IE uses "security zones" to control how the security functions integral in IE and/or supplied in other Microsoft packages apply the rules. Changes when other version jumps were released "redefined" some of the zones so that more strict rules were applied to zones with the same name as the less restrictive ones in the prior version. The changes caused flurries of whinging similar to what is now being seen, now mainly but not exclusively from IE9 users. The complaints in previous instances were resolved, mostly when people learned to reset their IE preferences to their personal satisfaction or found the proper add-ins for their other browsers.

Adding a problem site to your "Always allow" box essentially applies the security rules for a "less cautious zone" to the site. When it works for one setup and not for another, it may be just a matter of the "normal zone" being at different levels on the two.

It may be worth noting that with earlier updates, some of the changes that elicited the most complaints are now considered "features" commonly cited by the "my browser is better than yours" philosophers.

While we don't know, as yet, any simple solution for what is now bothering some of us, it can be expected that the difficulties will be resolved.

For the "technically inclined," a blog article at MSDN Blogs > IEBlog > IE8 Security Part IV: The XSS Filter gives a brief description of the IE8 (Beta 2) XSS filter. Event 1046 - Cross-Site Scripting Filter is an MSDN Library description of the IE8 XSS.

Note that NEITHER OF THE ABOVE TWO LINKS will be of much use, or interest, except to the "seriously technically warped" among us, and neither gives, alone, enough to do much about anything. Either of the links, however, will get you into one of the more arcane (and harder to find) areas at Microsoft where you may be able to poke around to find something that's actually of interest.

For the less technically oriented of those here (i.e. those still incurably sane) my interpretation is:

XSS refers specifically to attempts to distribute malware by means of Cross Linking.. The most common use is to direct the browser to an unintended/unexpected location.

Note that XSS as most commonly used does not describe or apply to the legitimate uses of cross-links or redirects, and should not be used to describe legitimate programs and their applications.

There are numerous perfectly valid application that use Cross Linking. Java Scripts are probably the most common currently seen, but are not the only ones used.

XSS threats are very common now, but have mostly had very low severity. The risk from XSS appears to be quite comparable to the risks of running Flash or using Adobe Reader carelessly. (The risk from Adobe for both is largely that they've been incredibly slow at issuing patches for known vulnerabilities, allowing long-term exploitation before they fix them.)

The intended effect of the IE XSS FILTER is to reject/disable only cross linking code that is likely to lead to undesired effects.

If the IE9 XSS filter works as described for the IE8 version, the filter disables the specific script fragment that the program believes is a danger. The remainder of the page should display correctly in most cases. The message that "the page has been modified" means that the small script fragment that IE "doesn't like" has been disabled, and shouldn't mean that anything else on the page is affected. The disabled fragment may not be shown, or it may be shown but "unlinked" to prevent it from doing anything.

It appears that the web page downloads to TEMP unchanged, and the filter only blocks passing of the suspect script from the TEMP location on to the browser for display.

The XSS filter will flash a warning that it's done something. In all similar previous cases, you have had the option of turning off the warnings while allowing the filter to continue to block suspicious material. As soon as one of us finds a reliable way to do that, perhaps it will be passed on.

It probably is also possible to turn off (disable) the XSS Filter. Details on the IE9 version are not well enough defined in what I've found thus far to indicate how much control you have, and I have no intention of installing IE9 at the present time just to look at it.

For anyone really too impatient to work around the difficulties until solutions are found, Microsoft claims that IE9 can be easily uninstalled and removal will revert you back to whatever prior version you had. A problem many people have had is difficulty finding the IE9 entry in the list of programs in the Uninstall section of Control Panel. You don't uninstall IE9. You uninstall the update that put IE9 on the machine.

Official Microsoft Instructions for REMOVING IE9 (they say they're simple, and of course you believe Microsoft) are at How do I install or uninstall Internet Explorer 9?, for Win7 and Vista.

John