we found something similar last week to do with communicating between flash movies and javascript when running an application locally, in development for example.

normally we can overcome these security settings by always allowing access in the global.security.settings however it seems that running the app over http is the only way for now for the kind of communication our applications require.

great resources on the issue though, thanks a lot.