With the help of the server admin, got this fixed. It is ridiculously easy and should be presented that way by Adobe rather than a lengthy white paper that rambles on (like my post). The solution was to put a crossdomain.xml file in the SERVER's root directory. The file's structure is like my second example above (with site-control, allow-access-from, and allow-http-request-headers-from). I did change the "master-only" to "all". This opens the server up to be used by any external Flash files. We left the other crossdomain.xml file (with specific domains listed by each allow-access-from) in the CONTENT's root directory. This specifies what Flash files have access to the folder's content.

I had seen posts elsewhere where people had similar security issues, but couldn't do anything because the SERVER was not allowing them access to the DIRECTORIES that they previously had access to via the crossdomain.xml in that DIRECTORY. It took a server admin putting a second permissions file in the SERVER's root to allow access further down.