It kind of depends on the URL obfuscation trick you're using, your browser and any proxies. Take hex escapes for example - some browsers (like IE I think) will remove (or even add) escapes before sending the request on - others won't. Browsers might also not be consistent with how they deal with things like the host header. It's actually not valid to include escapes in anything other than the path portion of a URL. Browsers that don't remove them can send a malformed URL to the server. Hex escapes in the path are always legal since the destination web server will convert them. In fact things like unescaped spaces are not legal in a path, but again some browsers escape any spaces and others don't.
Tricks like IP obfuscation depend on the program doing the DNS. This will be your browser, or a proxy, but in the end usually comes down to how the system's name resolver library works. In general though you can't depend on them working through a proxy.
Really these are all just tricks - they're generally non standard and browser dependant. Also they don't do much to hide your real destination. Mainly they seem to be used to fool the end user - not any eavesdroppers. That's why spammers seem to love them - it can make it more difficult to figure out what URL they're hosting themselves at by looking at the HTML, but the browser decodes the stuff before making the actual request.
For real security it would be better to have two proxies convert everything to HTTPS and back again. HTTPS encrypts the URL and all headers so nothing would be left visible - all an intermediary could see is that you're connecting to the second (decrypting) proxy. Of course the second proxy would still have to make the final leg in the clear. Really, you might as well just set up a VPN to do the same thing for all traffic.
Edited by - Scott Lemmon on 27 Jun 2002 17:49:17