If you're using J2EE sessions instead of the normal CF sessions, I think you'd need to pass the jsessionid rather than the sessionid. So might be worth checking the CF admin to see if J2EE sessions are enabled, and if so, pass the jsessionid with the files.

Only other thing I could think of to try, if you want, would be to log the entire CGI scope to see if IE is passing anything else as cookies or headers that look different than the other browsers.