I have posted a new security research article, Microsoft Windows Root Certificate Security Issues. It details what seems to be an important problem with the way that Microsoft treats PKI, namely that they by default ignore what users tell them when a user says "I don't trust this root certificate".
I have tried to be fair with Microsoft in the article, and I assume that the problems are based on them not thinking about the problem from the user's standpoint instead being based on malice, The last section of the article points out the the problems under Vista are much worse than they are under Windows XP, but at least those problems are more obvious to users.
I would love to hear feedback on the article, particularly from people who have figured out more about how this works in Vista.