Not specifically but a lot of bad stuff that comes in is simply rejected with 403 if I already have the IP range in my database so I would not usually see it unless it was very persistent.

By now I have a lot of server ranges (though by no means all) plus a lot of "bad" dynamic IP ranges - ie they have hit my sites with ill intentions, been blocked and then added to the database. I also record "good" ranges - those that have hit from a compromised (botnet) machine but from a range that is usually a good dynamic one (eg roadrunner dynamic, BT dynamic etc).

I do not reject all IE6 hits - it depends on the headers: certain combinations I have found presage scrapes or similar and those are rejected and ultimately added to the database either as "always bad" or "usually good" ranges..

In actuality bad hits on new IP ranges are recorded in the database anyway and used to block further immediate activity until, a few minutes or hours later, I get around to "ranging" the IPs for either a server block or a dynamic "accept unless" listing of the range.

I think a bare IE6 UA such as you give is anyway suspect as it should at some time in its life cycle have acquired MS upgrade info, I would have thought, especially on XP and later.

Here's another too-bare one, from a source that should do better...

urlc1.mail.mud.yahoo.com [209.191.87.214]
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

14:16:12 /
14:16:27 /

robots.txt? NO

The rDNS name suggests that is a mailbox for yahoo accounts so it's feasible that someone clicked on a link in an email.

On the other hand, I've always been suspicious of mud.yahoo. :(

Me, too. And that's why I think it's more likely a Yahoo thing because of its sibling subdomains:

From 09-19-11:

urlc3.mail.mud.yahoo.com [209.191.87.216]
07:49:35 /
07:49:57 /

From 02-04-11:

urlc4.mail.mud.yahoo.com [209.191.87.217]
18:53:42 /
18:53:43 /

Always double-hits. Never robots.txt. Always the block-worthy:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

By the way, the curious, fake, translates-as --

http://keywordA:keywordB@

-- pattern in the OP appeared again, but this time one t-dialin.net machine repeated each faked URI=REF pattern shown by two prior machines. The odds of this being happenstance are nil. But what is it, I wonder?

HIT ONE:
URI:
//www.example.com/dir/filename1.html+http%3A//keywordA%3AkeywordB%40
REF:
/dir/filename1.html+http%3A//keywordA%3AkeywordB%40

HIT TWO:
URI:
//www.example.com/dir/filename1.html
REF:
/dir/filename1.html

HIT THREE:
URI:
//www.example.com/dir/filename2.html+http%3A//keywordC%3AkeywordD%40
REF:
/dir/filename2.html+http%3A//keywordC%3AkeywordD%40

HIT FOUR:
URI:
//www.example.com/dir/filename2.html
REF:
/dir/filename2.html

Again, all via:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Only thing I can think of is a link checker, possibly running for a search directory? Or possibly getting its source URLs from a traditional SE?

R.I.P. --

MS declares IE6 Dead (tangor) [webmasterworld.com...]
U.S. IE6 Usage Drops Below 1 pct (engine) [webmasterworld.com...]

They stopped updating IE6 a couple of years or more ago. Around the time google got trojanned through it. :)

I still get a fair number of IE6 hits, some real humans. Three machines I have here cannot use any MS browser higher than 6 - they are windows 2000, which is itself obsolete and no longer updated. Thank goodness for firefox and linux! :)