The stupid thing about IE's implementation is that, while it is supposed to restrict third-party cookies unless sites have an acceptable privacy policy, it treats an invalid P3P header as if it were an acceptable privacy policy, rather than treating it as if there were no privacy policy. I don't see anything in the spec which mandates that.
