The X-Content-Type-Options: nosniff header disables IE's mime sniffing feature. A typical example is a response from a web server indicating that a resource is a plain text file, while IE looks at it and determines that it is e.g. HTML instead and renders the response as a web page. If you embed scripts in the plain text response, those will get executed too. To demonstrate the behaviour, here's two links that yield the exact same response. The only difference is that one of these pages includes the X-Content-Type-Options: nosniff header.

The MIME sniffing behaviour changed in IE9, it will not sniff "plain/text" responses unless "Compatibility View" is enabled. See details towards the end of this post on the IEBlog.

Enable "Compatibility View" before visiting the demo links. And remember to disable it afterwards! This is not one of *those* websites.

To learn how to add this header with NWebsec see: Configuring security headers on the project website.