Description:
Access to the MySQL service is *only* protected by a password when using -h localhost. Anyone can have full control of all details when accessing the service from any other address than localhost.

MySQL service running on a Windows 2000 server system as mysqld-max.exe, version 4.0.18-max without any problems.

Connections to the servise with MySQL Administrator 1.0.1a ALPHA and mysql.exe 4.0.18 via localhost without any problem. (e.g. mysql.exe -h localhost -u root -p <password>) Connection is refused if no password is used.

Connections with any other hostaddress than 'localhost', also with MySQL Administrator 1.0.1a ALPHA and mysql.exe is *only* possible without using a password. (e.g. mysql.exe -h server.mydomain.nl -u root) Connection is refused if a password is used.

How to repeat:
Just connect from any (windows) cliënt to the server using MySQL Administrator or mysql.exe

Suggested fix:
none from my side. (Sorry, I'm just a starter on MySQL.)

Workaround:
none known to me.

Did I make a mistake in the configuration?

During installation I followed the instructions as closely as possible. It was not clear to me that it is possible to specify the use of a password on a 'per link' basis.

I consider what has happened still a (documentation) bug 
and have a few questions left.
 - Why is per default no password used? 
   This makes MySQL 'vounarable out of the box'
 - Why does the installation instructions not pay more 
   attention to this effect? It is easy to oversee for 
   an inexperienced user.
 - Did *you* check your installation? :)

This is intended and documented, due (as you note) simply to the need to set passwords on the logins which are created by the default install (see the Post-Installation notes in the manual, for instance).