Description:
The default permissions shipped in mysql-noinstall-4.1.12a-win32.zip are very insecure.  Any user on localhost can do anything, including alter privileges.

Below is a dump of the value from the user table I'm talking about:

INSERT INTO `user` VALUES ('localhost','','','Y','Y','Y','Y','Y','Y','Y',
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);

How to repeat:
Unzip mysql-noinstall-4.1.12a-win32.zip.
Install and start server.
Connect (mysql -P 3307 mysql)

select * from user;
update db set Db = 'badnews' where Db = 'test';
select * from user;

Suggested fix:
Have root be the only record in db by default.

This behavior is for to make easy the initial start-up of the server.
How to proceed after the install process is mentioned in the Manual:

http://dev.mysql.com/doc/mysql/en/default-privileges.html
-------------------------------------------------------------------------------------------
 As noted, none of the initial accounts have passwords. This means that your MySQL installation is unprotected until you do something about it:

    *

      If you want to prevent clients from connecting as anonymous users without a password, you should either assign passwords to the anonymous accounts or else remove them.
    *

      You should assign passwords to the MySQL root accounts.

The following instructions describe how to set up passwords for the initial MySQL accounts, first for the anonymous accounts and then for the root accounts. Replace ``newpwd'' in the examples with the actual password that you want to use. The instructions also cover how to remove the anonymous accounts, should you prefer not to allow anonymous access at all. 
-------------------------------------------------------------------------------------------