It appears that setting a Cache-Control: no-store header is ignored on https connections. It does appear to work with http connections. This seems an especially nasty bug since many banking sites use https and set the no-store header to avoid pages being stored on a users machine, or where ever the user happens to be.
The "Do not save encrypted pages to disk" checkbox is NOT checked. This still should not affect what the server says in the Cache-Control header when it returns a "no-store" option.
The page is displayed from the cache, despite the no-store header being set. In itself, possibly ok because the user hasn't closed the window, but...
The page is displayed from the cache. This is the more serious bug. The page was stored in the cache despite the no-store header being set. This has definitely information leakage and security implications as the user could have gone to a secure https banking page, then closed IE totally. Then another user could come along, open IE, look through the IE history, and navigate to a page in the history to get the supposedly secure, no-cached https page!
This only seems to be a problem with https URLs. If you change the above to plain http URLs, it does appear to obey the Cache-Control header.
If on the security settings page, you change check the Do not save encrypted pages to disk option is checked, then it appears effectively the no-store option is always set, and things work ok, but a user shouldn't have to navigate to the Advanced tab to check this setting on every machine they use (eg friends, work, etc), the server specifying the Cache-Control: no-store option should be enough.