The issue is due to the way Internet Explorer interprets the response headers sent from the web server. Internet Explorer (by design, see Microsoft article 937479), will delete the file from the local browser cache before the user can even open it, if the response headers sent from the web server contain the following headers:
- Pragma=No Cache
- Cache-Control=No Cache
so, authentication with Internet Explorer just works fine when a force refresh (CTRL+f5) is sent.
Both browser are sending NTLM credentials in the same packets (see boxes coloured in purple, in the print screen above). So the reason is a design choice of the Microsoft Corporation, not Blue Coat Technologies, Inc.
The Proxy cannot change this specific browser behaviour.
In order to bypass this problem, you can create a new authentication rule to intercept FIREFOX User-Agent and use “Proxy-IP” authentication mode.