The crossdomain file is not needed when a user access the app as http://example.com/flexviewer and the services listed in the config.xml are on http://example.com/.
When a user access the app at http://www.example.com/flexviewer (and the config is as above), then Flash Player will treat http://www.example.com/ as different from http://example.com/ and thus look for the crossdomain file.
The crossdomain file needs to be in the root. The 401.3 problem is what you need to fix. What web server are you using? If you are using IIS 5.0, 5.1 or 6.0, then http://support.microsoft.com/kb/271071/ might help 🙂
Cross-domain issues are very common. So, if anyone else has trouble with them check out these blog posts as a starting point: http://blogs.esri.com/Dev/blogs/arcobjectsdevelopment/archive/tags/cross-domain/default.aspx