OK - I've come in this morning and reset my Trusted Sites back to default (medium) and the console is still no longer prompting me for UAC, so whatever things I have tried here (or the overnight reboot) seems to have solved that.
The drag permissions problem was still evident this morning, so I checked the Altiris logs and sure enough a Restriction check (informational) entry was there for each time the above permissions error has been displayed:
Restrictions check for item 2147b7df-fbe1-4c00-a809-6988b585cd3a failed due to missing permission ac296df1-eb40-4592-899f-25d5c07d45f6
-----------------------------------------------------------------------------------------------------
Date: 27/06/2014 10:14:57, Tick Count: 74437781 (20:40:37.7810000), Host Name: (removed), Size: 393 B
Process: w3wp (1208), Thread ID: 322, Module: w3wp.exe
Priority: 4, Source: Altiris.NS.Services.CoreServices.Wrappers.EventLogWrapper.ReportInfo
File: C:\ProgramData\Symantec\SMP\Logs\a.log
I checked the permissions for Symantec Administrators on one of those groups and they were all UNTICKED!
I then tried to create a new account with the Symantec Administrators role and had the same problem with that account also - could not drag computers to certain groups.
So I tried to create a new Org group in the same level as the groups causing the problem. Dragging computers to that group worked fine. BUT HERE IS THE STRANGE THING - since doing that, dragging to the groups that were previously giving problems also now works fine! This is confirmed by checking the permissions for Symantec Administrators on the previously problematic groups again, and they now appear with everything ticked (as expected).
So something strange has gone on where perhaps permissions have not been copied/updated after the SP1 upgrade and creating a new group has somehow instigated a permissions refresh on the whole group which has fixed the problem.
Glad the problems now seem fixed and hopefully this information will be useful to someone....