An explicit proxy configuration with detect protocol enabled, has deny policy is matched but receives a HTTP status code of 200.
With an explicit proxy, a CONNECT request tells the proxy to connect a client to a remote destination.
With detect protocol enabled, the proxy will send a CONNECT request so it can either A - connect to the OCS and deliver the content or B - deliver the deny page over a secure channel.
If the policy uses option B, deliver the deny page over the secure channel, the proxy can tell the request is denied already, but has not been able to communicate this to the client.
To send a deny page, the proxy first needs to forge a certificate. The proxy will reach out to the site, even if it is denied, to get details of the certificate that will be used for forging one to the client.
In the case that the proxy reaches out and the site is unresponsive for any reason, there will be no client hello, no protocol handoff, and also no receiving of an upstream certificate. As there is no upstream certificate no deny page delivered for this request. In the policy trace no follow up unknown ssl:// request will be present from the ssl proxy and a 403 is expected.
One indicator of this behavior is the total transaction time will be the timeout setting on the proxy.