Basically, it's not the business of the routers to be looking at and making decisions about the IP options some machine decides to set. So if your machine requests something from a server on the net and the server replies with some "odd" IP options the packet is going to get back to you regardless. What you are seeing is your IDS, whose job it is to look at such things and react, examining the packet and determining that the IP options are, indeed, "odd" and is dutifully reporting it to you.

If you take a look at the log of the packets in the IDS you should be able to see that the flags set are not simply SYN, it will probably be SYN in combination with ACK, PSH or whatever though it may be a FIN combination too. In either case, assuming the only flags set is not SYN, then the packets are responses to valid connections made by one of your boxes and thus the firewall will allow them to pass. Were they only SYN packets then the firewall should be dropping them and if it isn't then it isn't working or you have some ports forwarded through the firewall to internal machines.

To be really sure you need to put a packet sniffer on the inside of the network and examine the packets it logs to determine what exactly is going on. If you are having a problem reading the packet dumps then sanitize them and post them here and we'll all have a look.