it doesn't have to be in the root, as long as you specify the location in

System.security.loadPolicyFile('http://www.palmnet.me.uk/chumby/crossdomain.xml')

to debug from your PC, make sure you are using a debug version of flash (you can download for your platform here. i use the standalone debug player.

to make the debug player report policy stuff in a log you need to follow the instructions
here. it's very simple, just make a mm.cfg file in the right place depending on the platform you're on (see the link) with the contents:

PolicyFileLog=1
PolicyFileLogAppend=1

because newer versions of flash have different security requirements (adobe keep changing the way crossdomain stuff works!) i found (with a lot of help from unwiredben!) that you also need to alter the MIME type sent by the server to be 'text/x-cross-domain-policy' and also send an extra header of 'X-Permitted-Cross-Domain-Policies: all' to stop it complaining about meta policies. to do this in my cgi script for the talking clock i use the following perl code:

    print "Content-type:text\/x-cross-domain-policy\r\n";
    print "X-Permitted-Cross-Domain-Policies: all\r\n\r\n";
    print "<\?xml version=\"1.0\"\?>\r\n\r\n";
    print "<cross-domain-policy>\n";
    print "  <allow-access-from domain=\"\*\" \/>\n";
    print "<\/cross-domain-policy>\n";

if you're using PHP on your server check out the header function.