IE Proxy vs WinHTTP Proxy: Technical Comparison and IIS Default Behavior


2 views

Windows systems handle proxy configurations through two distinct mechanisms: Internet Explorer (IE) proxy settings and WinHTTP proxy settings. While they might appear similar at first glance, their usage patterns and system-level implications differ significantly.

IE proxy settings are configured through:

Internet Options → Connections → LAN settings

These settings are stored in the registry at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Applications that typically use IE proxy settings include:

  • Internet Explorer (obviously)
  • Most modern browsers (Chrome, Edge, etc.)
  • .NET applications using WebClient or HttpWebRequest by default

WinHTTP proxy settings are configured via command line:

netsh winhttp set proxy proxy-server="http=proxy.example.com:8080" bypass-list="*.local"

These settings are stored separately at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpParameters

Key components that use WinHTTP proxy:

  • Windows Update
  • Background Intelligent Transfer Service (BITS)
  • Microsoft Installer (MSI)
  • Some older Win32 applications

For IIS specifically:

// ApplicationHost.config snippet showing proxy awareness
<applicationPools>
    <add name="DefaultAppPool" managedRuntimeVersion="v4.0" />
</applicationPools>

By default, IIS applications will:

  • Use IE proxy settings when making outbound HTTP calls from .NET applications
  • Ignore WinHTTP proxy settings unless specifically configured otherwise
  • Respect web.config proxy settings over system defaults

To programmatically set WinHTTP proxy in C#:

using System;
using System.Runtime.InteropServices;

class WinHttpProxySetter
{
    [DllImport("winhttp.dll", CharSet = CharSet.Unicode)]
    private static extern bool WinHttpSetDefaultProxyConfiguration(
        ref WINHTTP_PROXY_INFO pProxyInfo);

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    private struct WINHTTP_PROXY_INFO
    {
        public int dwAccessType;
        public string lpszProxy;
        public string lpszProxyBypass;
    }

    public static void SetProxy(string proxy, string bypass)
    {
        WINHTTP_PROXY_INFO proxyInfo = new WINHTTP_PROXY_INFO();
        proxyInfo.dwAccessType = 3; // WINHTTP_ACCESS_TYPE_NAMED_PROXY
        proxyInfo.lpszProxy = proxy;
        proxyInfo.lpszProxyBypass = bypass;
        
        WinHttpSetDefaultProxyConfiguration(ref proxyInfo);
    }
}
Feature IE Proxy WinHTTP Proxy
Scope User-level System-level
Storage HKCU registry HKLM registry
Affected Applications UI applications, browsers System services, background processes
Configuration Method GUI (Internet Options) netsh winhttp command

When debugging proxy-related problems in IIS:

// Check current WinHTTP proxy settings
netsh winhttp show proxy

// Reset to direct connection
netsh winhttp reset proxy

// Verify proxy in .NET application
Console.WriteLine(WebRequest.DefaultWebProxy.GetProxy(new Uri("http://example.com")));

When working with Windows-based applications, you'll encounter two distinct proxy configuration systems:

  • IE Proxy Settings: Managed via Internet Options or Group Policy, these control WinINET API behavior
  • WinHTTP Proxy Settings: Configured via netsh winhttp, these govern the WinHTTP stack
// Sample code checking IE proxy settings (WinINET)
#include <wininet.h>
INTERNET_PROXY_INFO proxyInfo;
DWORD dwSize = sizeof(INTERNET_PROXY_INFO);
InternetQueryOption(NULL, INTERNET_OPTION_PROXY, &proxyInfo, &dwSize);

// Sample code checking WinHTTP proxy (alternative approach)
netsh winhttp show proxy

Key architectural differences:

Feature IE (WinINET) WinHTTP
API Family Higher-level Lower-level
Authentication Auto-negotiates Manual config
Process Isolation Per-user Machine-wide
PAC File Support Full Basic

IIS primarily uses WinHTTP proxy settings for:

  • Windows Authentication to upstream servers
  • ARR (Application Request Routing) modules
  • Web Deploy operations

To verify and configure for IIS:

REM Check current WinHTTP proxy
netsh winhttp show proxy

REM Set explicit proxy for IIS components
netsh winhttp set proxy proxy-server="http=proxy.contoso.com:8080" bypass-list="*.contoso.com"

Case 1: IIS fails to authenticate through proxy while browser works fine.
Solution: Configure WinHTTP proxy to match domain authentication requirements.

# PowerShell alternative for WinHTTP proxy
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" 
  -Name ProxyServer -Value "http=corpproxy:3128;https=corpproxy:3128"

Case 2: Mixed environment with both WinINET and WinHTTP applications.
Solution: Implement proxy.pac with proper fallback logic and maintain both configurations.

  • Always configure WinHTTP proxy when deploying IIS servers in proxied networks
  • Use Group Policy Preferences to maintain consistency across servers
  • Test both WinINET and WinHTTP paths during deployment validation
  • Document proxy requirements separately for user-facing vs service applications