Legacy App only Working with Proxy-Enforced Forwarding or Tunnel w/ LP

I’ve been troubleshooting a very strange issue. We have a legacy application which is built off of some ActiveX scripts. We’re currently rolling out Silverpeak SD-WAN and as a result, have been migrating our users location by location from Proxy-Enforced forwarding to Packet-based tunnel mode. We are currently on Tunnel v 1.0. When we made this change at a particular site, it broke the legacy application and in working with support we found that changing the Z app from Tunnel mode to Tunnel with Local Proxy fixed the issue.

Our confusion is that this is an 100% internal application and we haven’t been able to identify any external traffic stemming from the application, so we are unsure why Zscaler is even impacting the functionality. When looking at the page using the developer tools, we could see that parts of the vbs script breaks when the Z app is in tunnel mode, but not when its in tunnel w/ local proxy, or we have the pac file enforced.

We currently have the setting for ActiveX controls in ATP set to block, but this has been set that way for awhile, so I wouldn’t expect that to be impacting this application. We are truly stumped and wanted to see if anyone can offer any ideas as to why this application only works in tunnel w/ LP or with the pac file.