In corporate networks, internet access is frequently via an TLS MITM proxy server, unless going to an small set of approved sites, like major financial institutions (i.e. your internet banking logon), etc., which are usually whitelisted from being intercepted.
Usually the organisation will insert the certificate into the PC's cert-store (assuming a windows shop) as an authorised CA cert so you don't get cert errors even though there is a MITM attack going on. E.g., since I am reading this at work now, when I look at the certificate chain of the site, it shows a certificate chain of (names changed to protect the guilty):
Proxy Root CA -> Proxy Subordinate authority -> Proxy Intercept CA -> theregister.co.uk
With the three self-signed 'Proxy' CA certs having been inserted into the windows PC's certificate store as trusted CAs (which can be viewed using certmgr.msc) by the corporate operating environment.
Public access points often implement the same sort of technology - though they can't insert their CA into your devices certificate store, hence certificate errors - to protect themselves from, for example, someone going to a porn site on a public terminal.