From the sounds of things, you have the SEPM and LUA ont eh same box, and are currently using a custom Distribution Centre in IIS as well, is that correct?
Regarding the SEPM and LUA bit, if they are on the same box, then it's recommended that you separate them. It goes against the LUA Best Practices to have it on the same box as any other tomcat based application, as per the below article:
http://www.symantec.com/docs/TECH93409
Regarding the Distribution Centre: As it is a custom one (as evidenced by the non-default path) then you can set the permissions required for it, and accounts that can use it, as you see fit. You can even set it to allow anonymous connections if you want, it's just an IIS permissions change.
Incidentally, this is exactly what you'd up up with if you used the below article for confiruring a custom Distribution Centre:
http://www.symantec.com/docs/TECH132545
So the fact you're providing creds in the LU Policy and that the DC is requesting them (for the download), would be down to a configuration choice your company has deliberately taken (in deviating from the Symantec articles).
To that end, if you want to investigate in more detail, then enable IIS logging for the site. and verify the SEP Clients failing authentication have picked up the latest LU policy from the SEPM (telling them to use the new creds).
#EDIT#
Just noticed the UNC bit. Please confirm the failing SEP Clients have got the latest LU policy (check policy serial numbers). Also, please advise how your share and ntfs permissions are set, and if there are any failed logon attempts in the event log of the Distribution Centre