Endpoint Protection

We have just deployed the 12.1.2 server update and client update and I created a new package to send to all endpoints.  In the package I included the firewall but not the Intrusion Prevention.  Does this mean that even though the IPS is not installed for the clients the add-on is still on the machines?  Is it part of the Network Threat Protection or just the IPS?  When I look at the protection technology on all clients in the management console it show that the intrusion prevention for IE and FF is not installed but yet the add-on is installed for all clients anyway and IE9 asks to enable/disable the add-on.  

Is this what was supposed to happen even without the IPS installed and only the Firewall installed?  If it is part of the Network Threat Protection and I create a new IPS policy, can the add-on be enabled by default without user intervention?  

Yes it is separate from IPS component.You can disable from within the IPS policy. See here for all the info:

Expected behavior of Browser Intrusion Prevention

Note that disabling the Browser Intrusion Prevention by policy in this manner does not actually disable the add-on within the the browser.  Instead what occurs is that the add-on enters, essentially, a passthrough mode in which it should perform no filtering.

You can deselect the browser intrusion prevention from the IPS policy assigned to that client - the addon though still will be visible in the browser - now working only in pass-through mode and allowing everything.

The is currently no way of deselecting it from install package - as it would require disabling other features.

Alternatively you should be able to disable the addons as well from the level of the Browser itself.