Looks like you've found a bug.
When TFS Deployer was updated to work with TFS 2010, the API for connecting to TFS changed. The API the TFS Deployer is now using to connect to TFS only uses the provided credentials if the default credentials (ie the user TFS Deployer is running as) fail.
Because there is a trust relationship between DEVDOM and TFSDOM, Deployer is able to authenticate with the default credentials (DEVDOM\admin) and hence never tries the TFSDOM credentials. Unfortunately, while the first credentials authenticate, that account
is not authorised to access the resources Deployer needs.
I will look at changing TFS Deployer to use a different method for connecting to TFS Deployer so that the provided credentials are always used first. In the mean time however, you have some options:
1. Given that TFS is recognising your DEVDOM\admin account via the cross-domain trust, you could grant that account access to the TFS resources Deployer needs, ...
2. For the user account that TFS Deployer will run as, configure different credentials in the Windows Credential Manager to use for the TFS server, or ...
3. Run TFS Deployer using a local-machine user account that won't be recognised by the TFSDOM domain and the settings in the configuration file should then be used.
This choice will be partly influenced by the answer to your second question about the service account. There is some information about service accounts in the wiki here:
I always recommend running any service with it's own service account with the least privileges it needs to work. For TFS Deployer I typically go so far
as creating a dedicated service account for every instance in the network. If Deployer will be performing deployments completely local to the machine it is running on, you can create a local-machine account for the service account. If TFS Deployer will be
accessing remote resources (including the build drop folder) you may want to configure the local account as a shadow account, or use a domain account instead for the service.
Whichever you choose, when testing TFS Deployer interactively with the "-d" switch I recommend doing so by first starting a Command Prompt using the same credentials you've configured as the service account (ie Log On As) so that it runs much the
same as it will as a service.