they generally send the login info to the bank via ssl 'post' even tho page you login from doesn't have lock icon.

this is OK except that SSl performs another function: authenticates website, i.e. it performs a check that would be hard for a phisher, who had copied the website AND poisoned the DNS to show the correct website name even tho pointing to phisher site, would have trouble getting around if SSL was there.

so your login is probably encrypted, but it may not really be your bank. fairly unlikely now but could happen with a DNS at a company being poisoned even if the internet DNS was not, so logging to your bank from just your company could be going to wrong place if they had hacked the DNS.
http://blogs.techrepublic.com.com/Ou/?p=226