One of my favorites... CAS!
Earlier during a class we noticed that Windows 2003 refuses to place code in the Intranet code group, but always uses Internet instead.
So an application started from \\localhost\myApp runs with internet security rights, while the path is obviously pointing into the intranet.
Funny thing is, that if you assign a drive letter to \\localhost\myApp, and execute the application from the mapped drive instead of through a UNC path, the Intranet code group applies again.
Kinda funny seeing that there is no factual difference between the two, only the mapped drive letter. Perhaps this is because mapping drive letters is an admin task? Otherwise I feel this is a small security hole!