And why wouldn't she?
To a "normal" person, the "certificate" has no meaning. And all browsers couch the message in PC speak - "this *may* be an invalid certificate", etc. Which, to a user, means "sure, it may, but I always go here and it's safe".
If you want users to stop browsing there, three things need to happen:
* Browsers need a "safe" mode, on by default, that flat-out doesn't let you browse to those sites. No warning, no buts, no "Are you sure" dialogs. Just say no.
* If people *need* to get there, give them some training on security issues and then take of the safety measures slowly.
* IT departments need to stop cranking out their own internal certificates, or at least they need to update the CA list for users. God damn it, I don't want to see a certificate warning for internal sites.