Today I became aware of this interesting/potentially dangerous default behaviour in Internet Explorer when you use a proxy configuration PAC/WPAD file. Yes, I know that WPAD is a bad idea for other reasons, too.
To quote the IEInternals blog: “One sometimes surprising aspect of proxy scripts is that they impact the Internet Explorer Security Zone determination…. if a proxy script is in use and returns DIRECT, the target site will be mapped to the Local Intranet Zone.”
This is a non-issue if your PAC file only bypasses the proxy server for internal sites, but if you for some reason need to bypass the proxy for an external site, it’s suddenly running outside of Protected Mode and is without the protections in place that the default Internet Zone settings offer.
Here’s a test with the settings in the default state, and the PAC file instructing all HTTPS traffic to BYPASS the proxy:
The solution to this is to ensure that the following box is un-checked.
This setting can be found in Internet Explorer under Internet Options > Security (tab) > Local Intranet > Sites (button)
In a corporate environment, you can disable this “feature” via GPO, under Computer/User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Sites: Include all sites that bypass the proxy server
Disabling via GPO will result in the checkbox being greyed out:
Another test run after making the above changes, showing the correct zone assignment:
Post-publishing footnote:
I discovered that you also need to ensure that Automatically detect intranet network is not checked.
This can be achieved via GPO under Computer/User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Turn on automatic detection of intranet (set to disabled)