We're seeing a very similar issue. Occasionally a few users will go to a website that notifies them that they need Windows Antivirus 2009 or 2010 (fake antivirus). Irregardless what option the user selects, the fake antivirus installs. If the user knew to close the window, it wouldn't install.
I, too wonder why Endpoint Protection v11.03 or 4 doesn't stop it. I haven't seen it infect a PC with 11.05 yet, but imagine that it's just a matter of time.