You may want to look at this article we have seen this behavior due to the file being blocked. You can verify it by looking in the file's properties, under the General tab
Deployment Failures Caused By Blocked Files
I'd already skimmed that reference, it sounds like it, but no, I don't see that security warning on the patches (unless it's somewhere else in Server2008R2). Plus, I *did* see the popup, it was just that I was logged in as the same username used as credentials to push the patches.
Thanks for the reply, Travis.
EDIT: Oh, wait, I'm being stupid: clearly the system knows it's been "Downloaded from the Internet", it says so right on the UAC prompt. Let me look into that a little more before I show more ignorance ...
EDIT EDIT: I used streams.exe to remove Zone.Identifier from the Adobe patches, all looks good. Thanks for the pointer.