The file web.sitemap required by XmlSiteMapProvider does not exist.
It turns out that the web server on my development box was configured to allow anonymous access, with the "Internet Guest Account" identified as the proxy account. This is the account named IUSR_<server name>. Fairly standard set-up.
What we changed, what seems to have dealt with the problem, is to specifically grant permissions to IUSR_<server name> to the file system folder that the virtual directory was mapped to. From Windows Explorer, context-click the folder, pick Properties, then pick the Security tab. Because the web app writes log files under that folder, and the web site admin can also use the app to add and delete uploaded files (themes, templates, that sort of thing) under that folder, we granted Full Control to the Internet Guest Account.
YMMV. Reflecting on this, it occurs to me that it's probably not the best choice from a security point of view to allow the web app this degree of access. Config parameters that point to the log files and templates and themes would be a good idea: I will bring it up with the team.