Here is an interesting look at some of the false positives:
Firing on just "<script>" in the url
Google: Search for <script> using the normal website. It will work.
But try going directly to the URL http://www.google.com/search?hl=en&q=%3Cscript%3E
IE 8 XSS filter kicks in.
Here are a few more
Firing on ";alert(123);
Maybe this is someone looking for an xss issue, but that is stretching it. Again, no real attack would use this.
Firing on ";abc(123);
So it looks to me that the xss filter is firing pretty liberally. The problem will begin when more people adopt IE 8 and websites start to see this filter breaking legitimate functionality. At that point the websites will begin disabling the xss filter by adding the following response header.
That's right. The website has the ability to disable security controls setup in your browser. Seems a little bit of an odd model right? So don't go and rely on this control for your security. If you want to take action to protect yourself then I recommend Mozilla and noScript plugin.
Also, if you are conducting security reviews and need to use IE 8 then check out this post on automatically disabling IE 8 xss with WebScarab's bean shell.