I typically stay away from Cisco IPS unless the entire network is Cisco and there is no prospect of changing. Cisco IPS tends to sync up really well with other Cisco gear.
You'll hear rfn_jhardy talk about TippingPoint for IPS, their stuff is good too, quite scalable.
Knowing me, I think you know what's coming: I use snort. I have had good experiences particularly because it's really flexible and quite powerful.
Also, IPS depends largely on where you work. For example, some networks don't need them at all, while some completely rely on them. Most of the Fortune 500 probably have dedicated IPS teams, folks who do nothing but, I'm sure they're quite busy too.
Typically IPS gear runs a database of security anomalies (traces of suspicious-looking behavior)... so essentially they know what looks dangerous and what looks innocuous. They match up traffic with that database, and it if fails, they block (or instruct other gear to block) said traffic.
Naturally, this type of system could block legit traffic as well, which does happen sometimes, but vendors do their best to streamline their algorithms to make this not happen.
As for all of your particular questions, it depends on a vendor-by-vendor basis. You'd be best to look at Cisco's IPS/IDS tracing mechanisms and algorithms on their web site, there's quite a bit of info out there on it.
Just figured I'd chime in
Reasonably un-nerdy blog:americanwerewolfinbelgrade.wordpress.com/