The X-Download-Options is specific to IE 8, and is related to how IE 8 handles downloaded HTML files. Turns out if you download an HTML file from a web page and chooses to "Open" it in IE, it will execute in the context of the web site. That means that any scripts in that file will also execute with the origin of the web site.

In this demo, a cookie without the httpOnly flag will be set. This cookie will then be displayed by a script in the downloaded HTML file. Choose "Open" when prompted what to do with the file.

To learn how to add this header with NWebsec see: Configuring security headers on the project website.