Internet Explorer caches Proxy Settings?

[Guest]

I'm trying to implement an internet switching tool, our Proxy servers are
FQDN's in our DNS server.

To disable the internet for a suite of PCs (who use a particular proxy), we
are changing the DNS IP to something invalid.

However, what I've found is that IE6 seems to 'cache' the proxy settings.
(We aren't using automatic configuration scripts or anything - just manual
proxy settings).

I have the 'Disable caching of Auto-Proxy scripts' GPO setting enabled,
hoping this would solve the problem - but it hasn't.

Does IE actually cache the proxy lookup (The DNS records have a TTL of 1
second, even with a 'ipconfig /flushdns' - IE still gets through) somewhere
and if so - how can I clear this out?

It seems that shutting down IE6 and re-opening clears it, but is there
something I can do to make it more 'instant' - rather than getting people to
close IE6 (which if we disable the internet, they won't want to do as long as
they can still GET the internet)?

Arkane

 

[Jon Kennedy]

See this article for possible help:

How to disable automatic proxy caching in Internet Explorer
http://support.microsoft.com/kb/271361/en-us


You can also restrict internet access via the registry or IE's proxy
settings on the Internet Options...Connect tab, LAN settings button. Set it
to use a non-existent proxy server and then lock out access to the Internet
Options via the registry setting "NoBrowserOptions" below. Corresponding
registry entries re the proxy settings are also below..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
"MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
These settings enable the use of a proxy server.

"ProxyServer"="http://ProxyServername:80"
Contains the address of the Proxy server. Since we want to block web
access, just fill this in with a few random characters.

"ProxyOverride"
Use this setting if there are websites that you want your users to have
access to. Addresses should be separated by a semicolon (.

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\Restrictions]
"NoBrowserOptions"=dword:00000001
This setting prevents users from opening "Internet Options" and
changing the Proxy settings back to default.

Other restrictions you may find useful are in this article:

The restrictions that are available to Internet Explorer 6.0 SP1
http://support.microsoft.com/default.aspx?scid=kb;en-us;823057

 

[Guest]

Appreciate the response however we have the 'disable automatic proxy caching'
already set.

The reason we don't want it to cache proxy settings at all is because we are
using DNS entries (with a TTL of 1) to switch between proxies.

If we set the DNS to a valid proxy (from an invalid one) while IE is open,
IE picks this up and surfs the internet.

If we reverse the process then IE still surfs the internet, even though the
DNS IP for the proxy it's pointing to - has changed to an invalid one.

The only way it seems to clear this is to close IE and reopen it - I'm just
wondering why it does this or if there is a way to force it not to cache
anything about proxies.

Arkane

See this article for possible help:

How to disable automatic proxy caching in Internet Explorer
http://support.microsoft.com/kb/271361/en-us


You can also restrict internet access via the registry or IE's proxy
settings on the Internet Options...Connect tab, LAN settings button. Set it
to use a non-existent proxy server and then lock out access to the Internet
Options via the registry setting "NoBrowserOptions" below. Corresponding
registry entries re the proxy settings are also below..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
"MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
These settings enable the use of a proxy server.

"ProxyServer"="http://ProxyServername:80"
Contains the address of the Proxy server. Since we want to block web
access, just fill this in with a few random characters.

"ProxyOverride"
Use this setting if there are websites that you want your users to have
access to. Addresses should be separated by a semicolon (.

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\Restrictions]
"NoBrowserOptions"=dword:00000001
This setting prevents users from opening "Internet Options" and
changing the Proxy settings back to default.

Other restrictions you may find useful are in this article:

The restrictions that are available to Internet Explorer 6.0 SP1
http://support.microsoft.com/default.aspx?scid=kb;en-us;823057


--

Jon Kennnedy, MS MVP/IE
Charlotte, NC, USA
(e-mail address removed)

I'm trying to implement an internet switching tool, our Proxy servers are
FQDN's in our DNS server.

To disable the internet for a suite of PCs (who use a particular proxy),
we
are changing the DNS IP to something invalid.

However, what I've found is that IE6 seems to 'cache' the proxy settings.
(We aren't using automatic configuration scripts or anything - just manual
proxy settings).

I have the 'Disable caching of Auto-Proxy scripts' GPO setting enabled,
hoping this would solve the problem - but it hasn't.

Does IE actually cache the proxy lookup (The DNS records have a TTL of 1
second, even with a 'ipconfig /flushdns' - IE still gets through)
somewhere
and if so - how can I clear this out?

It seems that shutting down IE6 and re-opening clears it, but is there
something I can do to make it more 'instant' - rather than getting people
to
close IE6 (which if we disable the internet, they won't want to do as long
as
they can still GET the internet)?

Arkane

 

[Robert Aldwinckle]

I'm trying to implement an internet switching tool, our Proxy servers are
FQDN's in our DNS server.

To disable the internet for a suite of PCs (who use a particular proxy), we
are changing the DNS IP to something invalid.

I'm not clear what you mean by "DNS IP" here. The addresses that
ipconfig /all returns and the ones that nslookup uses?
Then the only lookups which would work would be ones which involved
your HOSTS file.

Otherwise perhaps it means that you have modified a specific lookup
on your DNS to be invalid?

However, what I've found is that IE6 seems to 'cache' the proxy settings.
(We aren't using automatic configuration scripts or anything - just manual
proxy settings).

Is the lookup for "proxy settings" coded properly in your HOSTS file?

I have the 'Disable caching of Auto-Proxy scripts' GPO setting enabled,
hoping this would solve the problem - but it hasn't.

Does IE actually cache the proxy lookup (The DNS records have a TTL of 1
second, even with a 'ipconfig /flushdns' - IE still gets through) somewhere
and if so - how can I clear this out?

This is what makes me think that "changing the DNS IP to something invalid"
really must mean something other than what it says literally? E.g. if both
DNS IP addresses are invalid then any DNS records contained in your real
DNS wouldn't matter to a client which didn't have addressability to them.

It seems that shutting down IE6 and re-opening clears it, but is there
something I can do to make it more 'instant' - rather than getting people to
close IE6 (which if we disable the internet, they won't want to do as long as
they can still GET the internet)?

Have you tried playing with this one?

<title>How Internet Explorer uses the cache for DNS host entries</title>
http://support.microsoft.com/kb/263558

Does waiting 30 minutes also change your symptom? ; )


HTH

Robert Aldwinckle
---