Microsoft KB Archive/884430

= Your home page is assigned to the incorrect security zone if Internet Explorer uses a proxy auto-configuration (.pac) file to specify proxy settings =

Article ID: 884430

Article Last Modified on 2/7/2007

-

APPLIES TO


 * Microsoft Internet Explorer 6.0 Service Pack 1
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.01 Service Pack 4
 * Microsoft Internet Explorer 5.01 Service Pack 3
 * Microsoft Internet Explorer 5.01 Service Pack 2
 * Microsoft Internet Explorer 5.01 Service Pack 1
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0
 * Windows Internet Explorer 7 for Windows XP
 * Windows Internet Explorer 7 for Windows Server 2003
 * Windows Internet Explorer 7 for Windows Server 2003 IA64

-





SYMPTOMS
If Microsoft Internet Explorer or Windows Internet Explorer is configured to use a proxy auto-configuration (.pac) file, the security zone for your home page may not correspond to what is specified in the .pac file. For example, if the following conditions are true, the security zone that appears at the lower-right corner of your browser window may indicate that the Web page is in the Internet security zone:
 * Internet Explorer is configured to use a .pac file.
 * Your home page is set to an internal Web page that is part of the Local intranet zone, according to the .pac file.

This zone inconsistency may produce unexpected symptoms, such as cross-frame scripting issues. Additionally, when frames are used, the zone that is computed may sometimes be mixed. For example, one frame is part of the Local intranet zone, and another frame is part of the Internet zone. If you press F5 to update the page, your home page indicates the zone that is specified in the .pac file.



CAUSE
This behavior may occur if the following conditions are true:
 * Your home page has a content-expiration header.
 * Internet Explorer pulls your unexpired home page from the cache.

For performance reasons, Internet Explorer only fetches the .pac file on the first network access. To obtain the .pac file, Internet Explorer uses a GET request. However, if your Internet Explorer home page is set to an unexpired page that is in the cache, the .pac file is not downloaded. Therefore, the zone for the URL may not match the zone that is assigned in the .pac file.

For example, if access to your &quot;http://. .com/default.asp&quot; home page URL does not require a proxy because the .pac file uses the return &quot;DIRECT&quot; statement, the URL is assigned to the Local intranet zone. However, if the Default.asp page is sent with a content-expiration header, the Default.asp page is requested one time and then cached until the page expires. If you restart Internet Explorer, the page is read from the cache until the content expires. Because a new GET request is not sent for the page, the .pac file is not requested. When no proxy configuration is used, Internet Explorer assigns a URL where the host name is specified in fully qualified domain name (FQDN) format to the Internet zone.

If you press F5 to update the page, the following process occurs when the .pac file uses the return &quot;DIRECT&quot; statement for your home page:
 * 1) A GET request is sent to the server.
 * 2) The .pac file is downloaded.
 * 3) Your home page URL is assigned to the Local intranet zone because the .pac file specifies that no proxy is required to access the URL.



WORKAROUND
To work around this behavior, use any of the following methods:
 * Explicitly add the Web server name or the domain name to the required zone. This overrides any zone computations that are based on the proxy exception list or the .pac file. For example, to add a Web site to the Local intranet zone, follow these steps:
 * Start Internet Explorer.
 * On the Tools menu, click Internet Options.
 * On the Security tab, click Local intranet, and then click Sites.
 * Click Advanced.
 * In the Add this Web site to the zone box, type the Web address, and then click Add.
 * Click OK.
 * Force a network access GET request to start the .pac file download. To do this, you can add a hidden element, such as an IMG element or anIFRAME element, to the home page with the SRC attribute set to any URL that does not use a content-expiration header.
 * Do not use a content-expiration header on the home page.
 * Do not use a .pac file. Instead, use the proxy exception list. To add an address to the exceptions list, follow these steps:
 * Start Internet Explorer.
 * On the Tools menu, click Internet Options.
 * On the Connections tab, click LAN Settings.
 * Under Proxy server, click Advanced.

NoteTo use the Advanced button and to configure proxy exceptions, the Use a proxy server for your LAN check box must be selected, and a proxy server must be specified.
 * Under Exceptions, type the appropriate information.
 * Click OK three times.

Note You can also configure Internet Explorer settings by using Group Policy. For more information about how to do this, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspx?mfr=true



MORE INFORMATION
You can configure Internet Explorer to use a .pac file to specify the proxy server that must be used to access a URL. Just as it uses the proxy exception list, Internet Explorer uses the .pac file to determine the zone for a URL.

URL assignment information

 * A URL that requires a proxy is assigned to the Internet zone.
 * A URL that can be retrieved directly without a proxy is assigned to the Local intranet zone.

Note If no proxy configuration is used, Internet Explorer assigns a URL with a host name that does not contain dots to the Local intranet zone. A host name that does not contain dots is named a dotless host name. An FQDN is assigned to the Internet zone.

Keywords: kbtshoot kbprb KB884430

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.