Will,
Great questions. While I'm not going to say I'm an expert here, I believe I do understand the nature of the questions and the appropriate answers. I'm on the 80-90% positive side about my answers for you.
HTTP GET scanning, will actually scan within all of the GET request. If extraneous information is contained within the request, it will be scanned and analyzed according to the policy. If the policy ignores headers, then no we won't view the headers.
With regard to encoded information, I don't belive this will happen. Just as we don't do any type of decryption of other information, we aren't going to break down extra encoding. We look at the raw packet data and analyze. We rely on the ICAP interface to feed us the data in your example. This allows for the HTTPS decryption to happen as the Proxy does the work in that area. Our Monitor/Prevent products are meant to do analysis on what's provided, not really to manipulate or massage the data.
On the sessionization topic, I don't think we do this no. A GET request essentially is a quick transmission and once the GET session itself has completed (aka as soon as the content has been retrieved for the user) then it is no longer the same "session" in regard to the actual packets. The only session set we keep is the current transmissions. Each new transmission after will truly be a new "session" to the Monitor/Prevent system.
Hope this helps.