OK, it looks like I may have solved my issue. Some credit goes to ZINC666 (see above) as I followed his advice regarding proxy rules. Unfortunately I did not keep careful notes on the exact sequence of things that I did. Here's roughly the process:
(1) checked our MS ISA Proxy 2004 setup. I added a new firewall rule which I called "Microsoft Update" and set it so that it allowed traffic from anywhere on my network to the domains listed above (see ZINC666's post). I specifically set it so that it would allow traffic for system services, not just authenticated users
(2) I restarted some services on my affected server: Cryptographic Services, IIS+Symantec, as well as another that I noticed which was the WinHTTP Web Proxy Auto-Discovery Service (not sure if any of that was required, but anyway, that's what I did).
(3) I used the PROXYCFG app to try to turn off use of the proxy by this server (I don't think this worked, but ...)
Now here's an odd thing. The very next time the CRYPT32 process showed into the Event Log on the affected server, it was an error. I was quite discouraged, so I decided to try Diagnostic Logging on the ISA server.
The error had been happening regularly every 11 minutes. So I waited until about 10 seconds before it was due, turned on the logging, waited for the error ... and ... for some reason it then WORKED and did not fail.
I cannot explain this. But it may be that between the first time it failed and the time it worked, the WinHTTP Web Proxy Auto-Discovery Service was stopped. I am not sure. But maybe this will help someone.
After the update worked, I checked the Event Logs on the proxy server and found a few interesting things. At the time the update worked there were event items such as:
-- connected client was not authenticated (I presume this means it was a system service of some kind)
-- the rule Microsoft Update matches the packet. The packet is allowed. (This is the new rule I set up according to ZINC666's list above)
Sorry this is semi-incoherent. But maybe someone can make some sense of it and it may help.