Why you should never say “Turn ON Intranet Settings” in Internet Explorer IE

I recently checked into a hotel – connected to their guest wireless – and I start noticing odd things with some websites.

UPDATE: corrected title to conform to the message – thanks Mark…

If you’ve ever seen the following:

NEVER say “Turn on Intranet Settings”.

In my case, the hotel’s wireless (specifically their DHCP server) was returning a WPAD (Browser Proxy Autoconfiguration) with the following:

function FindProxyForURL(url, host)
{
  return "DIRECT";
}

Which for IE that means ALL sites will be mapped to the Intranet Zone automatically IF you’ve “Turned ON Intranet Settings”.  This is bad, bad, bad.

That means IE runs in Unprotected Mode for ALL internet sites.

If you have responded “incorrectly” – then you can reset it to auto as follows:

image

Finally, if you want to see the message where IE WOULD HAVE mapped the zone to Intranet you can turn back on the warning via regedit:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnIntranet"=dword:00000001

See http://blogs.msdn.com/b/ieinternals/archive/2012/06/05/the-local-intranet-security-zone.aspx  for more information