Interesting...
In fact, this "Stop on-access protection" menu probably shouldn't say "and exit", because it just stops all the resident providers. The processes stay in memory - that's normal. In fact, it's quite important - e.g. for the ashmaisv.exe (Internet Mail provider). When you stop it, it will not scan the e-mail messages, but it has to keep running - because your e-mail client is configured to send/receive all the traffic through this process, so it has to pass it on; if it really exitted, you wouldn't be able to send/receive e-mails anymore.
I don't know SlipSteam Web Accellerator, so I can't say much about it - but if you say the problem is related to incoming e-mail messages, I sort of doubt it - Outlook Express is redirected to avast, but this SlipSteam probably not.
As for the .TMP file, however... can you somehow identify the content? I mean, is it a file that just came by e-mail? Is the file created only at the moment when an e-mail is received (and scanned)?
In the original post, you said "whenever Internet Mail Provider detects any kind of infection" - what infection did avast! announce in the e-mail? Does it really concern infected e-mails only? Is the TMP file this infected e-mail message, in fact?