This is a bug in Asp.Net Mvc (definitely 2, probably 1 as well) which I have blogged about here (if you get an error when my blog opens - just refresh!), and I have reported to the MVC team here.
If the web application is hosted inside a virtual directory that contains spaces, then the internal mechanism that MVC uses to generate a data serializer for the anti forgery token fails to work. It uses a fake Asp.Net page request, but something about the way it fakes the request causes URL validation to fail and incorrectly identifies the URL as being outside the current application.
The current workaround is to remove the spaces from the application's directory name - hyphens are a good choice. I believe that any characters that require URL-encoding in the path might be a problem.
The reason why you might get this error and a colleague won't is if in your web project you allow each developer to have their own web binding. The default for web projects will be to use Cassini - which, of course, will not have this issue.