While trying to track down that threading issue, I noticed that f-in-box uses CreateURLMoniker. I was just wondering if you were familiar with a couple things MSDN says about it:
http://msdn.microsoft.com/en-us/library/ms775102(VS.85).aspx
Deprecated. Do not use. Creates a URL moniker from a full URL string, or from a base context URL moniker and a partial URL string.
...
Security Alert This function does not correctly interpret percent encoded octets in Microsoft Windows file paths or "file://" scheme Uniform Resource Identifiers (URIs). On systems with Microsoft Internet Explorer 6 and earlier, calling CreateURLMoniker with the output of a previous call might produce a result that is not equivalent. Since CreateURLMoniker can produce results that are not equivalent to the input, its use can result in security problems.
Use CreateURLMonikerEx with the URL_MK_UNIFORM flag to ensure that Windows file paths and "file://" URIs are interpreted correctly with regard to percent encoded octets; and that the result is equivalent to the input. To correctly extract a Windows file path from the result of CreateURLMoniker, use the PathCreateFromUrl function.
...
No real question here, just wanted to bring it up if you didn't notice it. It's a bit obscure so it'd be easy to miss something like this coming up.