If the network in a VMware image is configured as NAT, all TCP/IP connections from the guest OS are routed through Windows Sockets in the host OS. This is done by the VMware NAT Service on the host computer so that the virtual machine OS has the same external IP address.
Consequently, all HTTP traffic is scanned by BOTH Web Protection modules. This means Web Protection on the host (first) and on the virtual machine (second). This might lead to the situation, where the host Web Protection module intercepts and blocks malware (e.g. EICAR) BEFORE the VM Web Protection will see it.
The Web Protection module on the host OS should be deactivated to avoid it interacting unnecessarily and needlessly impacting system performance..