After adding policy to block executable content, attempting to access http://blog.goo.ne.jp/favicon.ico results in a blocked action. Why does the Web Security Service treat this icon file as an executable?

This is because the HTTP response from the server is Content-Type: application/octet-stream.

GET /favicon.ico HTTP/1.1 
Host: blog.goo.ne.jp 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: ja,en-US;q=0.7,en;q=0.3 
Accept-Encoding: gzip, deflate 
Cookie: BLOGTracking=60.32.139.80.1433397044326951; GUID=000B2AEEE734056F3010BD9E61626364; _ga=GA1.3.1590809012.1433397045; DCDC=B1L3D0C0P13G00; NGUserID=ac142b3e-5036-1433397046-1 
Connection: keep-alive 

HTTP/1.1 200 OK 
Date: Mon, 22 Jun 2015 02:59:24 GMT 
Server: lighttpd 
Cache-Control: max-age=43200 
Content-Type: application/octet-stream 
Accept-Ranges: bytes 
Content-Length: 15086 
Connection: close

Workaround

To access http://blog.goo.ne.jp/favicon.ico, modify the Web Security Service policy to exempt the URL.