I'm not saying that it is always so, in most cases the files will be transferred through disk, but yes, it's possible.
(A very nice example, even thought not exactly the case we are talking about, was the Slammer worm in 2003. It was never saved to disk, it existed only in a form of a malicious network packet or in memory - which is why quite a few people got confused when they were looking for a sample.)
I don't know what exactly you mean by "files". WebShield scans whatever is transferred through the HTTP protocol - webpages, scripts, but also downloaded executable files, etc.