The Local Intranet Zone and Proxies: The Surprising Connection

  • Article

Eric Lawrence
Microsoft Corporation

August 19, 2005

Internet Explorer's security model is based around five zones: The Restricted Sites Zone, the Internet Zone, the Local Intranet Zone, the Trusted Sites Zone and the Local Machine Zone. Zones offer a convenient mapping between sites and desired security settings. You can see your current zone settings in Internet Explorer on the Security tab of the Internet Options dialog (which you can access from the Tools menu by clicking Internet Options).

Over the past few months, I've seen a number of bug reports observing that the Local Intranet Zone (LIZ) isn't behaving as expected. Sometimes sites (for example, https://payroll.internal.example.com) expected to be classified as "Intranet" are being zoned as "Internet" sites.

Thus certain zone-restricted actions (for example, ActiveX download) are blocked. Alternatively, some sites (for example, https://extranet.external.example.com) expected to be zoned as "Internet" sites are being zoned as "Intranet" sites.

While exploring the root cause of this issue, I discovered the sometimes surprising relationship between zones and proxy server configuration.

First, let's look at how a site gets into the LIZ. It is often convenient that TCP/IP allows a server halfway around the world to be accessed as easily as the machine down the hall. On the other hand, the question of what is "local" is left up to the user or network administrator. It's easy to assume that IE could magically "know" when a site is on the Local Intranet, but this just isn't so.

As in the other security zones, a user can manually add sites to the LIZ using the Sites button on the Security Options dialog. However, the Sites button for the Local Intranet Zone offers options not present for other zones. Specifically, the following three options are available.

  1. Include all local (intranet) sites not listed in other zones
  2. Include all sites that bypass the proxy server
  3. Include all network paths (UNCs)

There's also the Advanced button, which allows you to manually specify sites to be added to the LIZ.

  • The first option is what we refer to as the "dot rule." Basically, it means that a host name which does not contain a period (for example, https://example/) is zoned in LIZ. Some exceptions exist, for instance, "dotless IP address" format is not permitted by this rule.
  • The second option is the primary subject of this article, so keep reading. :-)
  • The third option places files accessed by way of UNC syntax (for example, \\example) into the LIZ. IP addresses are not permitted, so \\207.28.127.1, for instance, is not placed in the LIZ by this rule.

The second option, "Include all sites that bypass the proxy server," is deceptively complex. To fully explain it, it's helpful to understand how Internet Explorer gets proxy information.

In Internet Explorer, on the Tools menu, click Internet Options, and then click the Connections tab. If you're connected by way of a LAN connection, click the LAN Settings button, otherwise select your dialup connection and click the Settings button.

On the configuration dialog, there are three choices:

  1. Automatically detect settings
  2. Use automatic configuration script
  3. Use a proxy server for your LAN [or for this connection]

Option #3 is the most straightforward—it allows you to manually specify the address and port of a proxy server. If you choose this option and click the Advanced button, you can enter host names that should bypass the proxy under Exceptions. As you might expect, if you enter exceptions and have configured the Local Intranet Zone option to include "All sites that bypass the proxy server," then the host names of those exceptions will be zoned into the LIZ.

Options #1 and #2 are closely related and result in Internet Explorer determining its proxy configuration at runtime by way of a script. The first option uses an algorithm called Web Proxy Auto Discovery (WPAD) to locate the configuration script, while the second option allows manual entry of the script location. In either case, the Proxy AutoConfiguration (PAC) script is written in JScript, and provides an implementation of the function FindProxyForURL (in the form: FindProxyForURL(url, host);). This function is called when Internet Explorer is asked to navigate to a URL, and the target URL and host name are passed into the function for evaluation. If the function returns a proxy string (for example, 'MyProxy:80') then the specified proxy is used for the request. Otherwise, if the function returns 'DIRECT' then the origin server is contacted directly, without using a proxy.

And therein was the source of the surprising behavior—when the bugs were filed, the reporter didn't think to check the proxy settings.

  • In cases where the user was seeing sites (for example, https://payroll.internal.example.com/) that they expected to be in the LIZ zoned as "Internet," they had not configured a proxy server and were accessing the fully-qualified domain name of the server, dots and all. There was no clue to the browser that this was expected to be an "Intranet" site.
  • In other cases, users were surprised to see a fully-qualified domain name (for example, https://extranet.external.example.com/) zoned into the LIZ because the address contains dots. What they didn't realize is that Internet Explorer was configured to use a PAC script and the proxy-administrator had authored the script to bypass the proxy for any hostname ending in "example.com."

Hopefully, I've shed some light on the sometimes surprising interactions between zones and proxies.

What other Internet Explorer mysteries have you discovered? I'd like the chance to help get to the bottom of them! Send your ideas to IETell@microsoft.com.

Eric Lawrence is a program manager on the Internet Explorer team.