Thanks. I was able to remove '&' from the list of invalid characters, and through this I was able to get past the 'dangerous Request.Path' error.
However, now the ASP.net engine just thinks that the URL is pointing to a non-existent resource (presumably because it thinks the '&cfs=1' is part of the file name). Is there a way at this point to strip-off the trailing characters and just serve the image? This will deprive whatever application is requesting the resource of the URL parameters, but at least it won't get an exception. I'm not sure if this is a better solution or not.
Is there any way to determine where these requests are coming from? I can't find much information on the url variables I'm seeing but what little I did find seems to hint that it's coming from Facebook.