I completely agree the first post is only a temporary fix. We have also seen the issues to discribed, and that the "bad" cert is reinstalled to recipents, when users with the "bad" cert installed send mail to clean users. Tell me more about the commercial websites you're having issues with, and needing these certs to work properly? The fix for us is for Microsoft to tell us how to block this auto install of these certificates.