Thanks Steve.
It has been a long ride on this project, but I think I figured it out. I successfully got it working this morning (a 5 day project) by deselecting the 'Windows Authentication' option within the Authentication options of the website. I tried with and without the 'Enable Kernel-mode authentication' checkbox and it always failed.
After removing Windows Authentication altogether, it worked fine. I have no idea if this is the expected setting or not, so I don't know if this will break something in the future.
I want to also note that this is a shared configuration, where the UNC path (file share) is on a server that is actually in a different domain! I created a trust relationship between the two domains and added the Network Service account to the file server by adding the <domain>\<computername>$ account to a local group, and then assigned that group permissions to the share.
Example: microsoft.com\webserver1$ <-- represents a computer's Network Service account
The command to do that is:
net group <localcompgroupname> <domainname>\<computername>$ /add
I also made sure that the application pool's advanced setting for Identity was set to NetworkService, and Enable 32-bit Applications was set to True (I have 64 bit web servers). In the Basic Settings of the website, I also had to set the 'Connect As' setting to use the 'Application user (pass-through authentication)' to get all of this to work properly. Shared configurations are powerful, but they aren't ready yet for 'the common IT guy' to configure.
Another note; you have to disable shared configuration on the web servers, prior to installing FTP 7.5 or WebDAV 7.5, etc. Actually, as funny as this sounds, it appears that you have to temporarily disable shared configuration in IIS for any other software application installs, updates, or upgrades that depend on or work around IIS. I tried applying Windows Updates to my IIS 7 server and it kept failiing. I also tried adding or removing features to IIS 7 and it kept failing. As soon as I disabled the shared configuration, they worked again. So now, I am in the habit of diabling/intstalling/enabling shared configurations whenever I do anything.
Another piece of advice; make sure your log files for each web farm server are local to each webserver. It increases performance and you won't experience file locks. IIS 7 doesn't have the ability to set the log filename, so each server would try to write to the same file in the shared folder.
And yet another; Microsoft says that IIS 7.0 has a 'severe limitation' in the management interface. When you add SSL certificates, it won't let you enter a host name. Simply add the SSL certificate, then open the applicationHost.config file, find the 'bindings' section and alter the ssl entry like the line below and restart IIS on the webfarm servers and you should be fine.
from
<binding protocol="https" bindingInformation="10.0.0.1:443:" />
to
<binding protocol="https" bindingInformation="10.0.0.1:443:www.microsoft.com" />
(the IP address indicated above 10.0.0.1 represents the primary IP address of your web farm server, regardless of what IP address you assigned it on the server!!! ISA server routes all traffic using webfarm IP's NOT your virtual IP address)
I can still get those logs for you if you would like me to, but I think my problem is resolved for now. I really, really hope this post helps someone somewhere.