Addition of an ACL entry for any object is impossible. The result of
clicking Add... in any security dialog is "Unable to display the user
selection dialog". I can edit current permissions and that works fine.

Cacls *is* able to add acl entries to file objects. For instance:

cacls Passwords.txt /g Shawn:f

replaces the ACL of the file and grants the proper permissions. Cacls is
also able to properly add, remove and edit permissions. This is great for
files, but my problem is in the registry.

In user management, properties of user, Member Of tab shows icons, but no
group names. Clicking Add... produces message "An error occurred attempting
to create the Object Picker. An error with no description has occurred."
Editing current permissions is ok, either with cacls or GUI.
Application log shows nothing. System log shows nothing. Security log shows
my security audits. Success and failure audits are on. The following
sequence is what happens when I try to add an acl entry to a file (with the
GUI, using explorer right click properties Security Tab Add...):

Category: Priv use, priv service called, SeIncreaseBasePriorityPrivilege
Category: Detailed Tracking, filename: \winnt\explorer.exe
Category: Priv use, priv service called, SeIncreaseBasePriorityPrivilege
Category: Priv use, Priv object operation, SeSecurityPrivilege,
SeTakeOwnershipPrivlege
Catebory: Priv use, priv object operation, SeSecurityPrivilege
Category: Priv use, Priv object operation, SeSecurityPrivilege

One interesting detail is that the Primary User Name of the last two
operations is my computer name with a dollar sign appended: "PIII733$".
There is no such user, though this is a success audit. According to MS, this
may be the SYSTEM account attempting to enumerate users. If it's the SYSTEM
account, then why the heck does it show PIII733$ instead of SYSTEM?

Other details in KB816818 have been taken care of: AllowedPaths is correct,
the SYSTEM account has read access to the winreg key, RestrictAnonymous is
0. In spite of all this it still doesn't work. Whet the heck did IIS
Lockdown do to my system?
-SHAWN-

SOLVED!
David, thank you for your help - your prompt for more information led me to
search the net again, and I found a fix.

I have no idea why it makes a difference or what messed things up, but the
HKEY_CLASSES_ROOT\LDAP key was missing. I was led to this key by a posting
to whatismyipaddress.com:
http://www.whatismyipaddress.com/forums/post.asp?method=ReplyQuote&REPLY_ID=887&TOPIC_ID=402&FORUM_ID=8

User "cleverett" posted the crucial clue. This article also references KB
article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;269489

entitled "Missing HKEY_CLASSES_ROOT\LDAP\Clsid Registry Key Causes Numerous
Errors. I then found that the whole LDAP key was missing. I checked another
of my Windows 2000 computers and found the following:

HKEY_CLASSES_ROOT\LDAP:
(Default), REG_SZ, URL:LDAP Protocol
EditFlags, REG_BINARY, 02 00 00 00
URL Protocol, REG_SZ, ""

HKEY_CLASSES_ROOT\LDAP\Clsid
(Default), REG_SZ, {228D9A81-C302-11df=9AA4-00AA004A5691}

HKEY_CLASSES_ROOT\LDAP\shell
(Default}, REG_SZ, (value not set)

HKEY_CLASSES_ROOT\LDAP\shell\open
(Default), REG_SZ, (value not set)

HKEY_CLASSES_ROOT\LDAP\shell\open\command
(Default), REG_SZ, "C:\Program Files\Outlook Express\wab.exe" /ldap:%1

For those who don't know, LDAP stands for Lightweight Directory Access
Protocol. I can't imagine why this is necessary for the GUI ACL add to work,
but apparently it is.

Thank you to all for considering my problem, and especially thank you again
David who was the only one to respond.
-SHAWN-