Your understanding is correct, but if your IT department puts a wildcard cert on your machine, it can MitM all your traffic (e.g. your company's firewall can say "Hi I am $SITE, here's a certificate to prove it" and your browser will accept it). Traffic between you and the firewall, as well as between the firewall and the actual site is still encrypted.