When traffic going through the Proxy SG is send to the Proxy AV for virus scanning, and on the Proxy AV the policy configured for password protected archive is to be blocked, any password protected archives are downloaded successfully.
Proxy SG sending traffic over ICAP to Proxy AV.
This will happen if you configure your action on the Web Content Layer to scan the traffic, and in the error handling part you choose if the ICAP service is not available to continue without further ICAP response processing (fail-open). In this case when the Proxy AV engine detects password protected archive it will respond with ICAP error to the Proxy SG. Since the Proxy SG is configured in the error handling to allow the connection the file will be served.