Could be that the package hash is wrong and needs to be reset, or it could be that the file's permissions allow it to be downloaded by a person's account, but not by a computer's localsystem account.
No dice on the hash reset, and the file has the exact same permissions as the rest of the files.
If I browse directly to the file using IE on the target computer, it also fails. However, if I do the same thing from inside the same subnet that the core is on, it works just fine.
So obviously you have something on the network causing this problem, if it works on the same subnet.
When I push SP3, whether on the same subnet or not, I don't see this issue, so it definitely only something in your environment.
Maybe a proxy or a cache or an intrusion detection device or some type of URL scanner tool.
Eh, got the security and patch manager method working. Hopefully I won't run into this with custom packages, but..