Over the past ten years I have seen a few problems like this with Black Ice/ISS and with Symantec Endpoint Protection in particular.But in the past four years I had seen no problems like this.
The firewall and the IPS signatures do not scan these hosts for firewall rules, matching attack signatures, port scans, anti-MAC spoofing, or denial-of-service attacks. I pointed out to my customer that as long as the teefer.sys/teefer2driver is loaded as a filter driver into kernel memory at boot up, there is a chance that it could delay the http traffic.
And the route between the two was safe (no real risk of man-in-the-middle attacks for example) as well. So they decided to add the host to the exclusion policy and send it to all the workstations.
And the latency problem improved drastically and immediately.
To my surprise, everything from the server side traces (WFEs, DCs, SQL) looked good.
All the traffic from the server to the client was flowing smoothly, quickly, without tcp resets, without delays.