Any of the ubiquitous 'make the asterisks go away' programs will unhide the password from the connect box, or a program called pwlview can brute-force decrypt the passwords from password lists stored on disk. (In win95 OSR2 and above, this may take a while, as they're no longer stored using weak encryption)

Given that 9X's security model revolves around the box being single-user, physically secure1, and not running any malicious code2, it would be easy enough to write a program that waits for a user to log on (and hence unlock the .PWL), calls the PWL api, and asks for the password. Windows would be all too happy to oblige. Pwlview can dump the passwords from an unlocked PWL, but does need physical access. Microsoft PWLEDIT does too, but it doesn't tell you the passwords, merely the usernames.

1. All together now, 'If it's not physically secure, it's not secure'...

2. But so does every other OS, too.
Quite frankly, if someone has the kind of access to your box where they can run arbitrary code without your knowlege, your're stuffed no matter what OS you're using.