Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has "Full Read" permissions on the SharePoint Web Application being crawled
It turns out that I should have disabled the loopback check as mentioned in SharePoint disable loopback check (DisableLoopbackCheck in registry). This is just a matter of setting a DWORD value for DisableLoopbackCheck in the registry under HKLM\SYSTEM\CurrentControlSet\Contro\Lsa
Curious, I did some more research on what DisableLoopbackCheck actually does and came across KB896861 which mentions that the preferred approach would be to create a MultiString Value BackConnectionHostNames in the registry under HKLM\SYSTEM\CurrentControlSet\Contro\Lsa\MSV1_0 and add a list of your host names.
I also found this reference about DisableLoopbackCheck & SharePoint: What every admin and developer should know. This explains why the latter is better for security reasons.
Unfortunately, when I tried the latter, the http start address crawled properly but the sps3 one would not. Since I was short on time and this was just a demo server I decided to cheat and go with the former. Maybe someday I will reinvestigate this.