I've found the source of the problem, but it took some digging.
Firstly Eric Law has come up with a prototype tool (exe) in another answer that helped identify the problem.
The nonsecure resource is:
data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=
The problem is that IE6 doesn't support data URIs, so we don't use them. So where has this come from?
It turns out that jQuery UI 1.8 is the problem, specifically a fix for another bug in the CSS:
.ui-resizable-handle { position: absolute;font-size: 0.1px;z-index: 99999; display: block;
/* http://bugs.jqueryui.com/ticket/7233
- Resizable: resizable handles fail to work in IE if transparent and content overlaps
*/
background-image:url(data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=);
}
It looks like others have also spotted this issue, and it's been fixed in the latest jQuery UI CSS (1.9 or above).
My fix was to replace that with a regular URL for a blank gif, problem solved.