I remembered that I had found a similar issue a while back and hadn't got round to disclosing it to them, so I therefore guess its fine to include in the month of full disclosure.
And with that I give you a new Symantec XSS bug.
Notes about the bug are as follows.
the issue is caused by Symantec not checking that html comments cannot be ended via user input. So all I had to do was to close the HMTL comment tag and then insert any code I saw fit. In this case a very simple JavaScript Alert box as is the norm with demonstrating XSS bugs and I also added a little Iframe.