I'd caution you against adding/changing headers to just to make things "match" with a working site without knowing what the headers mean.
For one example, the correct, registered MIME type for javascript is application/javascript (not application/x-javascript nor text/javascript). So while playing around with headers can be useful for troubleshooting, you do want to aim for the correct setup. For another, you can't just add C-E: gzip unless your server is actually gzipping the file. However, the C-E difference does provide a clue. Perhaps the IPS or other intermediate device is incapable of streaming-unzipping the gzipped HTTP data, so it just lets it go (this area of weakness is present in a lot of simple security software), whereas when you send it unencoded, it attempts to scan it -- and promptly has a false positive for malicious content. Try setting up your server to actually gzip (it will usually add the header automatically in turn) and see what happens. What I find most depressing is that the IT dept of this big company won't even tell you what IPS rule is mis/firing. It's one thing to "refuse to fix" -- I have done that myself when working in security -- but to not even tell you what rule is causing the error is just incompetent. This is a big company's main website? How important is their web presence that they are just leaving the dev shooting in the dark? -- S.
