Almost every navigation in Internet Explorer results in a flurry of security checks. Many of these checks are fairly obvious things, such as checking the URL of the current location (the context URL) and the pending navigation's destination URL to see if their zones/domains/protocols/etc are the same/different/acceptable/etc. Much of my time recently has been spent debugging strange combinations and ways of navigating. I will not bore you with the details; my goal is to emphasize the importance of context. I will mainly speak to the Internet Explorer Pop-up Blocker's dependence on the context URL.
The Pop-up Blocker is dependent on the context URL. When the page attempts to open a new window, mshtml queries the Pop-up Blocker. The Pop-up Blocker looks in the white list to see if this page is exempt from new window management. If, for some reason, the context URL provided is NULL, then obviously it cannot be matched to a domain in the white list.
So let us examine the following:
var oSpan = document.createElement("span");
oSpan.innerHTML = "<a href='http://www.microsoft.com' target='_blank'>Microsoft.com</a>";
When the anchor causes the browser to navigate, it will see the _blank and attempt to open a new window. This attempt will have to be verified by Pop-up Blocker. But the span is not parented to anything, thus it has no context. Elements with no context get the default context, which is about:blank, which confers no rights.
The moral of this story is always remember to parent your dynamically created elements to something in the document: