Microsoft Internet Explorer 5.0 for Windows 2000/Windows NT 4 FTP Password Storage Vulnerability
source: https://www.securityfocus.com/bid/610/info
FTP usernames and passwords for sites accessed via Internet Explorer 5.X are stored (cleartext) in history files stored under \Winnt\Profiles\[Username]\History\History.IE5\index.dat and \Winnt\Profiles\[Username]\History\History.IE5\MSHist<date>..\index.dat. By default, the \Winnt\Profiles\[Username]\History directories are secured with ACLs to allow Full Control for System, the Administrators group, and the given Username. The index.dat files, however, are created with Everyone:Full Control permissions.
Because the "Bypass Traverse Checking" right is assigned by default to the Everyone group, any user with access to the host can read any other user's index.dat files.
To bypass traverse checking and access another user's index.dat files, reference the absolute filename. For example, to search for all index.dat files belonging to the "administrator" account, issue the following command from a command prompt:
find "//"<\winnt\profiles\administrator\history\history.ie5\index.dat
