OK. It's the Explorer extracting the ZIP content into a temporary folder (most likely at the moment when the download is finished and you "open" the archive) - and that extraction is being scanned by the FileSystem Shield.
Anyway, WebShield doesn't scan HTTPS connections, so these detections are kind of side-effects of something else (such as someone actually extracting the archive).
Oh , when i open the zip folder , there is a MS-DOS application in it , called eicar , if i right click the eicar application , i only see , open , copy , cut , remove , and properties , i click open then the popup comes.
That's all good ?