Were you able to get it working in any browsers or did you discover it does not work at all later? That would be a huge loophole if it worked in any browser under any circumstances.
Basically, you can set top = null in the parent page, and it behaves as you expect -- there is no magic going on. But "top" gets reset for the iframe.
I didn't try anything more evil than that, though. I think if the parent script did something like "while(1){}", it could "starve" the iframe of CPU time, and it would never have the chance to change the URL.
At that point, though, I think I would just implement the toolbar as browser chrome.
I did a quick experiment. If you set top = null, then top.location stops working.