Well, i have googled around but i've found only few articles (like the one pointed in first post) that state location is "obviously" supposed to be readonly and all properties become writeonly, when document.domain does not match. By the way, i'm absolutely certain that the url is not x-site, because in that case it would break 100% time. Also, i have tried to compare current $.ajax() implementation with the previous 1.4.2 (that ALWAYS WORKS), but they completely differs, and nowhere (at least i has not been able to found where) the .protocol property is accessed directly.
One customer (Using XP and IE8) reported back that setting all IE security settings to default have cured the occurrence of this random crash so far. So i think have something to do with arcane security settings that may be applied to IE into "intranet sites" area. All url are intranet.
We will try to temporary use the developer version of 1.5 with a try catch added, just to know if the crash is postponed elsewhere or not. At the last resort i will revert back to 1.4.2 that DO work rocksolid without any hiccup (but i would like to stay on 1.5 for other minor advantages).
Thank you for your great support. I still think that in case of an internal "access denied" error inside $.ajax it would be better to forward the error to external error callback handler appropriately, and not internally crash (so i can at least implement a retry alghoritm before giving up).