diff --git a/codex-rs/core/src/config/config_tests.rs b/codex-rs/core/src/config/config_tests.rs
index 1659fb100e..3b5b8d53e5 100644
--- a/codex-rs/core/src/config/config_tests.rs
+++ b/codex-rs/core/src/config/config_tests.rs
@@ -837,7 +837,8 @@ async fn permissions_profiles_network_enabled_allows_runtime_network_without_pro
 }
 
 #[tokio::test]
-async fn permissions_profiles_proxy_policy_starts_managed_network_proxy() -> std::io::Result<()> {
+async fn permissions_profiles_proxy_policy_does_not_start_managed_network_proxy_without_feature()
+-> std::io::Result<()> {
     let codex_home = TempDir::new()?;
     let cwd = TempDir::new()?;
     std::fs::write(cwd.path().join(".git"), "gitdir: nowhere")?;
@@ -878,15 +879,9 @@ async fn permissions_profiles_proxy_policy_starts_managed_network_proxy() -> std
         config.permissions.network_sandbox_policy(),
         NetworkSandboxPolicy::Enabled
     );
-    let network = config
-        .permissions
-        .network
-        .as_ref()
-        .expect("profile proxy policy should start the managed network proxy");
-    assert_eq!(network.proxy_host_and_port(), "127.0.0.1:43128");
     assert!(
-        !network.socks_enabled(),
-        "profile proxy policy should preserve SOCKS config"
+        config.permissions.network.is_none(),
+        "profile proxy policy should not start the managed network proxy without the feature"
     );
     Ok(())
 }
@@ -1099,7 +1094,8 @@ proxy_url = "http://127.0.0.1:43128"
 }
 
 #[tokio::test]
-async fn disabled_network_proxy_feature_preserves_profile_proxy_policy() -> std::io::Result<()> {
+async fn disabled_network_proxy_feature_does_not_start_profile_proxy_policy() -> std::io::Result<()>
+{
     let codex_home = TempDir::new()?;
     let cwd = TempDir::new()?;
     let config = Config::load_from_base_config_with_overrides(
@@ -1145,13 +1141,10 @@ enabled = false
     .await?;
 
     assert!(!config.features.enabled(Feature::NetworkProxy));
-    let network = config
-        .permissions
-        .network
-        .as_ref()
-        .expect("profile proxy policy should still start the managed proxy");
-    assert_eq!(network.proxy_host_and_port(), "127.0.0.1:43128");
-    assert!(!network.socks_enabled());
+    assert!(
+        config.permissions.network.is_none(),
+        "disabled feature should keep profile proxy policy from starting the managed proxy"
+    );
     Ok(())
 }
 
diff --git a/codex-rs/core/src/config/permissions.rs b/codex-rs/core/src/config/permissions.rs
index 274a6ff116..2bb1f0752b 100644
--- a/codex-rs/core/src/config/permissions.rs
+++ b/codex-rs/core/src/config/permissions.rs
@@ -117,37 +117,13 @@ pub(crate) fn network_proxy_config_from_profile_network(
         NetworkProxyConfig::default,
         NetworkToml::to_network_proxy_config,
     );
-    // Profile `network.enabled` controls sandbox network access. Do not start a
-    // managed proxy for that bit alone, but keep the proxy enabled when the
-    // profile also supplied policy that only the proxy can enforce.
-    config.network.enabled = network.is_some_and(profile_network_requires_proxy);
+    // Profile `network.enabled` controls sandbox network access. Profiles may
+    // provide proxy settings for the feature gate to consume, but they do not
+    // start the managed proxy on their own.
+    config.network.enabled = false;
     config
 }
 
-fn profile_network_requires_proxy(network: &NetworkToml) -> bool {
-    if network.enabled != Some(true) {
-        return false;
-    }
-
-    network.proxy_url.is_some()
-        || network.enable_socks5 == Some(true)
-        || network.socks_url.is_some()
-        || network.enable_socks5_udp == Some(true)
-        || network.allow_upstream_proxy == Some(true)
-        || network.dangerously_allow_non_loopback_proxy == Some(true)
-        || network.dangerously_allow_all_unix_sockets == Some(true)
-        || network.mode.is_some()
-        || network
-            .domains
-            .as_ref()
-            .is_some_and(|domains| !domains.is_empty())
-        || network
-            .unix_sockets
-            .as_ref()
-            .is_some_and(|unix_sockets| !unix_sockets.is_empty())
-        || network.allow_local_binding == Some(true)
-}
-
 pub(crate) fn apply_network_proxy_feature_config(
     config: &mut NetworkProxyConfig,
     feature_config: &NetworkProxyConfigToml,
diff --git a/codex-rs/core/src/config/permissions_tests.rs b/codex-rs/core/src/config/permissions_tests.rs
index 7dd2bcdefe..6ae9307f02 100644
--- a/codex-rs/core/src/config/permissions_tests.rs
+++ b/codex-rs/core/src/config/permissions_tests.rs
@@ -247,7 +247,7 @@ fn profile_network_proxy_config_keeps_proxy_disabled_for_bare_network_access() {
 }
 
 #[test]
-fn profile_network_proxy_config_enables_proxy_for_proxy_policy() {
+fn profile_network_proxy_config_keeps_proxy_disabled_for_proxy_policy() {
     let config = network_proxy_config_from_profile_network(Some(&NetworkToml {
         enabled: Some(true),
         proxy_url: Some("http://127.0.0.1:43128".to_string()),
@@ -261,7 +261,7 @@ fn profile_network_proxy_config_enables_proxy_for_proxy_policy() {
         ..Default::default()
     }));
 
-    assert!(config.network.enabled);
+    assert!(!config.network.enabled);
     assert_eq!(config.network.proxy_url, "http://127.0.0.1:43128");
     assert!(!config.network.enable_socks5);
     assert_eq!(