We looked into this in a connect meeting. The issue was that the site definition was pointing to a folder above the root of the powerstore site and they had entered the Restrict Access server behavior and re-applied it... this caused it to update the path to the security assist include to the root of the site and it became out of sync with the security rules the pages were trying to use.
The solution was to update the paths back to the correct security assist folder in the sub-directory instead of the version in the root.