Cheers for the swift reply.
It's a strange one this as I can stop it from happening!
The way I have stopped it is very crude and involves making the page do a META refresh on the secure server ridding it of all the variable values, then, once it's Mr. Clean I META refresh it again, sending it to the non-secure server. This stops the message appearing and I can even pass variable values by reference to the non-secure server through this method. It goes against my very being though, and I don't want to do it this way.
I guessed that as the META refresh is controlled client side it wouldn't work for the reason you stated but my results seem to suggest that it is the forms data that is the problem??
I am very probably wrong tho.. it's a habit.