I’ve just seen the most wonderful demonstration of the (lack of) usability of security popups.
I am sitting in an XTech talk on XHTML 2. A moment ago, during the presentation, the presenter’s laptop popped up a “Zone Alarm” alert on top of his presentation. He immediately clicked “Yes”, without reading it, and carried on talking!
I have some experience of Zone Alarm, and I know that it’s very popup-happy, particularly in the default configuration where it tries hard to justify its existence by alerting the user to every incoming unknown packet. Its creators should consider how having a great deal of popups, in fact, decreases security.