A quick way to check if a web site both in intranet zone and in exception list will bypass proxy server or not.

  • Article

 

Many users are confused on these questions:

1) If the web sites both in intranet zone and in exception list will bypass proxy server or not.

2) If the web sites in intranet zone and not in exception list will bypass proxy server or not.

Since we have many articles to discuss this question, it’s efficient to provide an existing result for users.

 

Below table is displaying for users distinctly:

 There are two web sites: 1# is with Dot, 2# is without Dot and do tests as below.

 

 OS of client machine: windows 7 X64 with IE9 (32-bit)

 

Num

Web Site Num

Web Site is FQDN with Dot

In the local intranet zone.

Checked user proxy server for your LAN

Checked Include all sites that bypass the proxy server

Bypass proxy server for local addresses

Added Web Site in Exceptions List

Result: Via Proxy Server

Result: Be Classified as intranet

1

1#

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

2

1#

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

3

1#

Yes

Yes

Yes

Yes

No

Yes

No

Yes

4

1#

Yes

Yes

Yes

Yes

No

No

Yes

Yes
 

Num

Web Site Num

Web Site is FQDN with Dot

Added FQDN in the local intranet zone.

Checked user proxy server for your LAN

Checked Include all sites that bypass the proxy server

Bypass proxy server for local addresses

Added Web Site in Exceptions List

Result: Via Proxy Server

Result: Be Classified as intranet

5

2#

No

Yes

Yes

Yes

Yes

Yes

No

Yes

6

2#

No

Yes

Yes

Yes

Yes

No

No

Yes

7

2#

No

Yes

Yes

Yes

No

Yes

No

Yes

8

2#

No

Yes

Yes

Yes

No

No

Yes

Yes

 

References:

 

https://technet.microsoft.com/en-us/library/dd346863.aspx

 

Include all sites that bypass the proxy server. Typical intranet configurations use a proxy server to access the Internet with a direct connection to intranet servers. This setting uses this kind of configuration information to distinguish intranet from Internet content for purposes of zones. If the proxy server is otherwise configured, you should clear this option and use other options to designate files that are assigned to the Local Intranet zone. In systems that do not have a proxy server, this setting has no effect.

 

https://msdn.microsoft.com/en-us/library/bb250483(v=vs.85).aspx

 

  1. Include all local (intranet) sites not listed in other zones
  2. Include all sites that bypass the proxy server
  3. Include all network paths (UNCs)

 

There's also the Advanced button, which allows you to manually specify sites to be added to the LIZ.

 

  • The first option is what we refer to as the "dot rule." Basically, it means that a host name which does not contain a period (for example, https://example/) is zoned in LIZ. Some exceptions exist, for instance, "dotless IP address" format is not permitted by this rule.
  • The second option is the primary subject of this article, so keep reading. :-)
  • The third option places files accessed by way of UNC syntax (for example, \\example) into the LIZ. IP addresses are not permitted, so \\207.28.127.1, for instance, is not placed in the LIZ by this rule.

 

The second option, "Include all sites that bypass the proxy server," is deceptively complex. To fully explain it, it's helpful to understand how Internet Explorer gets proxy information.

 

In Internet Explorer, on the Tools menu, click Internet Options, and then click the Connections tab. If you're connected by way of a LAN connection, click the LAN Settings button, otherwise select your dialup connection and click the Settings button.

 

On the configuration dialog, there are three choices:

 

  1. Automatically detect settings
  2. Use automatic configuration script
  3. Use a proxy server for your LAN [or for this connection]

 

Choice #3 is the most straightforward—it allows you to manually specify the address and port of a proxy server. If you choose this option and click the Advanced button, you can enter host names that should bypass the proxy under Exceptions. As you might expect, if you enter exceptions and have configured the Local Intranet Zone option to include "All sites that bypass the proxy server," then the host names of those exceptions will be zoned into the LIZ.

 

Choice #1 and #2 are closely related and result in Internet Explorer determining its proxy configuration at runtime by way of a script. The first option uses analgorithm called Web Proxy Auto Discovery (WPAD) to locate the configuration script, while the second option allows manual entry of the script location. In either case, the Proxy AutoConfiguration (PAC)script is written in JScript, and provides an implementation of the function FindProxyForURL (in the form: FindProxyForURL(url, host);). This function is called when Internet Explorer is asked to navigate to a URL, and the target URL and host name are passed into the function for evaluation. If the function returns a proxy string (for example, 'MyProxy:80') then the specified proxy is used for the request. Otherwise, if the function returns 'DIRECT' then the origin server is contacted directly, without using a proxy.

 

And there was the source of the surprising behavior—when the bugs were filed, the reporter didn't think to check the proxy settings.

  • In cases where the user was seeing sites (for example, https://payroll.internal.example.com/) that they expected to be in the LIZ zoned as "Internet," they had not configured a proxy server and were accessing the fully-qualified domain name of the server, dots and all. There was no clue to the browser that this was expected to be an "Intranet" site.

 

  • In other cases, users were surprised to see a fully-qualified domain name (for example, https://extranet.external.example.com/) zoned into the LIZ because the address contains dots. What they didn't realize is that Internet Explorer was configured to use a PAC script and the proxy-administrator had authored the script to bypass the proxy for any hostname ending in "example.com."

 

Regards,

 

XiaoMan from DSI Team