You're on the right track, as this would most likely relate to permissions configuration.
If you suspect there is an issue with the IUSR account permissions a quick test you can perform is to replace the IUSR account on the Symantec Web Server with a domain administrator account. Once replaced restart IIS and see if your clients begin to communicate. If so than there are permissions issues with the IUSR account. It would not be recommended to keep the administrator account in IIS however as this would present a security risk. Also enabling IIS logging for the Symantec Web Server may be useful as it will allow logging of the error code and may include a sub code, something like 402 1 for example.
It would also be helpful to run our SEP Support Tool on the SEPM server. Generally this will locate errors and provide you with a document to help resolve the issue. If you are not able to locate the cause of the issue you may save a full report and provide us with the data. We can then review this and let you know what is discovered.
The SST can be downloaded directly from RU5 and newer clients from the Help and Support button. I've also included a document link below for this tool.
About the Symantec Endpoint Protection Support Tool
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008120810393048