If NetworkShield is able to deal with an infected site by simple checking the URL against a database, then there's no point in trying to detect the code on that page. So, that "heuristic" detection may not be present (saving the CPU and memory, if you wish). So, if you disable Network Shield, you get infected.
so in other words network shield only useful against known bad sites?
in that case I can disable it cause most threats are unknown (websites change all the time anyway)
I didn't say that... I don't know exactly what processing the Network Shield does, and I don't really care. As I said, even if it were the case now, it may change in the next virus definition update.
What I'm saying is that the protection assumes the shield is there - other, possibly unknown, websites may be redirecting traffic to these sites (there's a lot of redirecting in the malware world) - and when we find out, there's no reason to add another detection (read: "tweak heuristics if it doesn't detect it already") if the payload is actually covered by the "stupid" Network Shield already.
Besides, "known" and "unknown" to you may not be the same as known and unknown to us. We have quite a broad infrastructure and we can deliver the updates of the database (via streaming updates) within minutes, possibly less.
So if you are looking for a heuristics that solves everything - well, good luck with that. Real-time updates and good/fast data sources are quite efficient as well.