>By default, the Web.Config httpRuntime requestPathInvalidCharacters is set up to intercept seven characters. If it finds them in the path, this will generate the situation. It is possible to adjust the parameter to remove the & from the list. But, then again, this will generate HTTP Error 404.0 - Not Found. So, basically, we might as well let it go. It is just that it records entries in the Event Viewer under Warnings and we have to check that on occasional basis to see if there is something we need to adjust.

Hadn't come across this but it appears you can override the default validation by specifying your own class derived from RequestValidator:
http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationtype.aspx
Just a question of overriding IsValidRequestString (and maybe supplying validationFailureIndex).....