Secure by default and the list of team projects
Another brown-paper-bag bug in TFS 2005 was that, by default, all valid users could see the full list of team projects. You would grant read access to some random team project and all of the sudden, when the user connected they could see all your team projects. D'oh! It wasn't difficult to change the permissions to prevent this (and sites like CodePlex had to do exactly that), but it wasn't a good experience nonetheless.
Willy-Peter (whom I had a chance to work with for a bit on the TFS BPA) noticed that got fixed in TFS 2008. :)