Incredible association between local Intranet Zone and proxy

The proxy server settings have many surprising relationships with the IE region.

 

The Local Intranet Zone is easy to use. It allows TCP/IP to allow servers on the other side of the earth to access the same server as the server on the lower floor .. on the other hand, the question "local" is left to the user or the network administrator to answer. it is easy to guess that when the machine is a local Intranet, ie can "know" magically, but this is not the case.

 

Because in otherSecurity ZoneYou can manually add the site to Liz (Local Intranet Zone) by clicking the sites button in the Security Options dialog box. however, the sites button of the Local Intranet zone provides three options that are not available in other zones.

There is also an Advanced button that allows you to manually add the site to Liz.

• The first option is what we often call "point-by-point Rules ". basically, it means that one does not contain ". "Host Name (for example, http: // example/) is in the zone of Liz. some exceptions exist. For example, the format of "dotless IP Address" is not allowed by this rule.
• The second option is this article.ArticleMainly discussed.
• The third option is to use the UNC syntax (for example, \ example) to access the file in Liz. note that the IP address is not allowed by this rule. For example, \ 207.28.127.1 will not be put into Liz by this rule.

The second option, "include all sites that bypass the porxy server", is hypocritical and complex. it is very helpful to understand how Internet Explorer gets proxy server information.

 

In the Tools menu of IE, Click Internet Options, and then click the Connections tab. if you connect to the network through a LAN connection, click the LAN Settings button, or select your dialup connection and click the Settings button.

 

In the configuration dialog box, there are three options:

1. Automatically detect settings
2. Use automatic configuration script
3. Use a proxy server for your Lan [OrFor this connection]

The third option here is straightforward-it allows you to manually specify the proxy server address and port number. if you select this option, and then click the Advanced button, you can enter some host names that should bypass the proxy under the cover of exceptions. as you may have expected, if you enter exceptions and configure the local Intranet Zone option to include "all sites that bypass proxy servers, in this case, the host names will be put in Liz.

 

The first and second options have a very close relationship, and the two of them will cause Internet Explorer to determine the proxy configuration through a script at runtime. the first option is to use a Web Proxy Auto Discovery (WPAD)AlgorithmTo locate the configuration script, and the second option always allows the script location to be manually configured. in either of the two, the proxy autoconfiguration (PAC) script is written in JavaScript and provides a functionFindproxyforurl(The format isFindproxyforurl (URL, host );). This function is called when the IE browser is required to navigate to a URL, and the target URL and host name are also transferred to the function for evaluation. if the function returns a proxy string (for example, "myproxy: 80"), the specified proxy will be used to process the request. otherwise, if the function returns "direct", the original server will be directly connected without any proxy.

 

The surprising behavior is included in the above explanation. When a problem occurs, the reporter will not expect to check the proxy configuration.

• If you see a site (for example:Http://payroll.internal.example.com/And the user wants the site to be In the Liz zone (Intranet), they do not configure the proxy server, and are using the server's fully-qualified domain name (FQDN) (fully qualified domain name). the browser has no clue that the site should be placed in the "intranet" zone.
• In other cases, users may find that an FQDN is put into Liz, because the site contains a few dots. what they don't realize is that Internet Explorer is configured to use the PAC script, andProxy-AdministratorI wrote a script to allow any domain name ending with "example.com" to bypass the proxy server.

 

Other knowledge

================

What is the dotless IP address format )?

----------------------------------------
Internet addresses are typically provided using a "dotted" address format. for instance, the address of the Microsoft Web site in dotted format is http: // 207.46.131.13. however, it's possible to use other formats. for instance, you cocould also use a "dotless" format, in which the bit sequence corresponding to the dotted address is treated as a numerical value. for instance, the Microsoft Web site's address cocould be rendered as http: // 031713501415. these are equivalent representations, and both are valid ways to refer to the web site.
A vulnerability occurs because, if an Internet address is provided in dotless form and is malformed in particle way, ie uses the wrong security zone to process the web pages at the site.

 

Summary of determining whether it is an Intranet Zone

==================

The last section of the above article is vague. Please take a look at the "amazing" section based on the following summary. in order to respect the original text, and the level is limited, it is translated as that. haha.

 

1. Check whether the address contains ".". If yes, it will be considered to belong to the Internet zone by default. Unless the site is added to the list of bypass proxy (bypass proxy.

2. If no "." is left, it is considered to belong to the Intranet Zone by default, unless the site is defined as needing to go through the proxy.

 

[Translator's questions]

==================

In IE7, a checkbox is added, that is, "automatically detect Intranet network". This article does not mention the behavior of this option. Who knows? Can you help me with this?

 

Original article: http://msdn.microsoft.com/en-us/library/bb250483%28VS.85%29.aspx

References: http://support.microsoft.com/kb/303650