Since windows vista, the windows certificate store contains only a handful of trusted roots by default.
When accessing an SSL website using internet explorer, the untrusted root is checked with microsoft on demand whether it should be trusted or not (somehow using windows update, don't have the details yet). If it is determined to be good, then it is added to the local cert store as a 3rd party root certificate and trusted automatically.
Presumably the result of this verification can also be an explicit distrust (for known compromised CAs) or unknown (e.g. an intranet CA)
There are root certificate bundle updates from MS which can be manually installed, but these are only installed automatically on windows XP.
In corporate environments, CA bundles can be pushed using group policy (again, don't have details, but the MS web page suggests disabling the on demand verification and using this mechanism instead if you (as a sysadmin) want to decide for yourself which CAs to trust)
Workaround for this problem is to install the most recent "Update for Root Certificates For Windows XP" package from Microsoft, which will install all the currently trusted certificates.