apparently various folks think entering in "javascript:alert('xyz=' + xyz)" is a security hole, and this is why the "Protected Mode" is on by default. PM enabled means that the javascript: protocol will not work in the address bar.
Solutions:
(1) turn off PM for the zone your website is in.
(2) click F12 and use the Developer tool's Console (e.g. type "alert('xyz=' + xyz)" and you get your desired result
(3) the very WEIRD but quick workaround described below:
http://answers.microsoft.com/en-us/ie/forum/ie9-windows_7/cant-paste-javascript-into-the-address-bar-ie9-rc/aa377c2f-7a43-e011-90b6-1cc1de79d2e2
^ basically, you paste in the code and notice the "javascript:" prefix vanishes, well just make sure you have that code in the clipboard, and AFTER clicking CTRL+V to paste it in, press CTRL+E and you'll see a "?" character in front, now CTRL+V again and your entire code line stays, just click HOME and delete that "?" characer in front, voila it works.
So I guess "Protected" mode is actually useless, at least in regards to protecting the user from the dreaded "javascript:" protocol's so-called dangers (http://lifehacker.com/5811345/use-your-browsers-address-bar-as-a-calculator-without-googles-help)... actually, even quicker: just click CTRL+E *FIRST* then type in (or paste) your javascript:xyz and remove that "?" character before hitting Enter!