A quick reminder, after having spent too much time on it this morning:
When impersonating a client context (in this case through SSPI over Remoting), not only can you not access external network resources, you also can't access files and directories encrypted with EFS. I was stumped over this - WindowsIdentity.GetCurrent() returned the proper user, but trying to create a new file in an encrypted folder resulted in UnauthorizedAccessExceptions (Win32 error #5).
The solution - my Unimpersonator to the rescue!
Hmm. Remoting, impersonation, EFS and Access Denied - that should be enough for google to work with, right? :)