If the network in a VMware image is configured as NAT, all TCP/IP connections from the guest OS is routed through the Windows Sockets in host OS. This is done by the VMware NAT Service on the host computer so that the virtual machine OS has the same external IP address.
Consequently, all HTTP traffic is scanned by BOTH Web Protections, this means Web Protection on the host (first) and on the virtual machine (second). This might lead to the situation, that the host Web Protection intercepts and blocks malware (e.g. EICAR) BEFORE the VM-Web Protection will see it.
The Web Protection on the host OS should be deactivated in order to avoid unnecessary impact and interaction.