Thanks for the reply Adam.  I was actually using the 'Programmatic Security' example from the CuteSoft sample pages (implementSecuritypolicy.aspx).  I put the virtual directory in the 'uploads/users/John' folder and had it point to the 'uploads/member' folder. 

 

I did notice another strange thing: when I've selected the current user as 'John (admin)', I get the error I described above, but when I've selected 'Administrators' and browse to the 'uploads/users/John/common' and select an image from the image gallery, the URL appears as /Uploads/Members/Common_Picture01.jpg (which is basically correct; it's remapping the URL to the real image location, but that's fine).