Blocking malicious drive-by downloads..
"The FireEye NX is designed to identify and block attacks delivered via the Web such as drive-by downloads. The FireEye EX protects against attacks delivered via emails such as malicious attachments"
Why not just disable downloaded executables on the base Operating System. Same for email, if the attachment has '4D 5A' at the beginning, then replace it with a dummy variable and inform the user.