More developments in this.  I've now reinstalled my production copy from fresh downloads, including re-downloading the last database backup and restoring the database entirely; producing a local site in which my host login can get to the admin and host pages.  On this base I installed 4.9.5 from the upgrade kit I previously downloaded.  The install identified NO errors.  The site came up.  I logged in as host.  I still can't display the Host > Host Settings page, or any of the pages from which you can affect the config.  I can display the Dashboard and What's New pages under Host (but you can't change anything there).  The weird thing is that I'm not getting any DNN errors; I'm getting IE errors.

Right now I think it's either something wrong with the upgrade kit I downloaded (corrupted in download, maybe?), or, I screwed up something in the web.config when I merged my local modifications.  I use WinMerge to do the merge.  Here are the 3 sections of web.config (the one that's on the site now) where I changed something; the strings I changed are in red.  I'll be looking through these myself, but if someone else sees something stupid, I'd really appreciate a suggestion.

<connectionStrings>
    <!-- Connection String for SQL Server 2005 Express -->
    <add 
      name="SiteSqlServer" 
      connectionString="Data Source=.\SQLEXPRESS; Initial Catalog=oaklandsymphonychorus; Integrated Security=True;" 
      providerName="System.Data.SqlClient" />
  </connectionStrings>

 <appSettings>
    <!-- Connection String for SQL Server 2005 Express - kept for backwards compatability - legacy modules   -->
    <add key="SiteSqlServer" value="Data Source=.\SQLEXPRESS; Initial Catalog=oaklandsymphonychorus; Integrated Security=True;" />     
    <add key="InstallTemplate" value="DotNetNuke.install.config" />
    <add key="AutoUpgrade" value="true" />
    <add key="UseInstallWizard" value="true" />
    <add key="InstallMemberRole" value="true" />
    <add key="ShowMissingKeys" value="false" />
    <add key="EnableWebFarmSupport" value="false" />
    <add key="EnableCachePersistence" value="false" />
    <add key="HostHeader" value="" />
    <!-- Host Header to remove from URL so "www.mydomain.com/johndoe/Default.aspx" is treated as "www.mydomain.com/Default.aspx" -->
    <add key="RemoveAngleBrackets" value="false" />
    <!--optionally strip angle brackets on public login and registration screens-->
    <add key="PersistentCookieTimeout" value="0" />
    <!--use as persistent cookie expiration. Value is in minutes, and only active if a non-zero figure-->
    <!-- set UsePortNumber to true to preserve the port number if you're using a port number other than 80 (the standard)
    <add key="UsePortNumber" value="true" /> -->
  </appSettings>

<!-- The system.webServer section is required for IIS7 compatability It is ignored by IIS6-->
  <system.web>
    <!-- Ensure validationkey is not set to AutoGenerate,IsolateApps so it correctly supports webfarms -->
    <machineKey validationKey="C927E58A8A28F1365C0F27CCD483CEC019CFCDA1" decryptionKey="71D16AC33CD2292C92E1B0EEE5D7FC78BBC69EDED9E40633" decryption="3DES" validation="SHA1" />     
<!-- HttpModules for Common Functionality -->
    <httpModules>
      <!-- add name="Authentication" type="DotNetNuke.HttpModules.AuthenticationModule, DotNetNuke.HttpModules.Authentication" / -->
      <add name="Compression" type="DotNetNuke.HttpModules.Compression.CompressionModule, DotNetNuke.HttpModules" />
      <add name="RequestFilter" type="DotNetNuke.HttpModules.RequestFilter.RequestFilterModule, DotNetNuke.HttpModules" />
      <add name="UrlRewrite" type="DotNetNuke.HttpModules.UrlRewriteModule, DotNetNuke.HttpModules" />
      <add name="Exception" type="DotNetNuke.HttpModules.Exceptions.ExceptionModule, DotNetNuke.HttpModules" />
      <add name="UsersOnline" type="DotNetNuke.HttpModules.UsersOnline.UsersOnlineModule, DotNetNuke.HttpModules" />
      <add name="DNNMembership" type="DotNetNuke.HttpModules.Membership.MembershipModule, DotNetNuke.HttpModules" />
      <add name="Personalization" type="DotNetNuke.HttpModules.Personalization.PersonalizationModule, DotNetNuke.HttpModules" />
      <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </httpModules>
    <httpHandlers>
      <!-- This is for CAPTCHA support -->
      <add verb="*" path="*.captcha.aspx" type="DotNetNuke.UI.WebControls.CaptchaHandler, DotNetNuke" />
      <!-- This is for Serving files, secure, insecure, from database -->
      <add verb="*" path="LinkClick.aspx" type="DotNetNuke.Services.FileSystem.FileServerHandler, DotNetNuke" />
      <!-- This adds syndication support -->
      <add verb="*" path="RSS.aspx" type="DotNetNuke.Services.Syndication.RssHandler, DotNetNuke" />
      <!-- This adds legacy support for the Logoff page -->
      <add verb="*" path="Logoff.aspx" type="DotNetNuke.Services.Authentication.LogOffHandler, DotNetNuke" />
      <!-- ASP.NET AJAX support -->
      <remove verb="*" path="*.asmx" />
      <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false" />
    </httpHandlers>
    <!-- set code access security trust level - this is generally set in the machine.config
    <trust level="Medium" originUrl=".*" />
     -->
    <!-- set debugmode to false for running application -->
    <compilation debug="false" strict="false">
      <buildProviders>
        <remove extension=".resx" />
        <remove extension=".resources" />
      </buildProviders>
      <assemblies>
        <add assembly="Microsoft.VisualBasic, Version=8.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
        <add assembly="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
        <add assembly="System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
        <add assembly="System.Management, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
        <add assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </assemblies>
     <!-- register your app_code subfolders to generate granular assemblies during compilation   -->                    <codeSubDirectories>                            <add directoryName="Reports" />                           <add directoryName="HTML" />                 </codeSubDirectories>     
    </compilation>
    <!-- permits errors to be displayed for remote clients -->
    <customErrors mode="RemoteOnly" />

    <!-- forms or Windows authentication -->
    <authentication mode="forms">
      <forms name=".DOTNETNUKE" protection="All" timeout="60" cookieless="UseCookies" />
    </authentication>
    <!--
		    <identity impersonate="true"/>
		    <authentication mode="Windows">
		    </authentication>
		-->
    <!-- allow large file uploads -->
    <httpRuntime useFullyQualifiedRedirectUrl="true" maxRequestLength="8192" requestLengthDiskThreshold="8192" />
    <httpCookies httpOnlyCookies="true" requireSSL="false" domain="" />
    <!--  GLOBALIZATION
		This section sets the globalization settings of the application. 
		Utf-8 is not supported on Netscape 4.x 
		If you need netscape compatiblity leave iso-8859-1.
		UTF-8 is recommended for complex languages
		-->
    <globalization culture="en-US" uiCulture="en" requestEncoding="UTF-8" responseEncoding="UTF-8" fileEncoding="UTF-8" />
    <!--<globalization culture="en-US" uiCulture="en"  fileEncoding="iso-8859-1" requestEncoding="iso-8859-1" responseEncoding="iso-8859-1"/>-->
    <!-- page level options -->
    <pages validateRequest="false" enableview_stateMac="true" enableEventValidation="false">
      <controls>
        <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </controls>
      <namespaces>
        <add namespace="System.ComponentModel" />
        <add namespace="System.Data" />
        <add namespace="System.Data.SqlClient" />
        <add namespace="System.Drawing" />
        <add namespace="Microsoft.VisualBasic" />
        <add namespace="System.Globalization" />
        <add namespace="DotNetNuke.Services.Localization" />
        <add namespace="DotNetNuke.Entities.Users" />
        <add namespace="DotNetNuke" />
        <add namespace="DotNetNuke.Common" />
        <add namespace="DotNetNuke.Data" />
        <add namespace="DotNetNuke.Framework" />
        <add namespace="DotNetNuke.Modules" />
        <add namespace="DotNetNuke.Security" />
        <add namespace="DotNetNuke.Services" />
        <add namespace="DotNetNuke.UI" />
        <add namespace="DotNetNuke.Entities.Portals" />
        <add namespace="DotNetNuke.Common.Utilities" />
        <add namespace="DotNetNuke.Services.Exceptions" />
        <add namespace="DotNetNuke.Entities.Tabs" />
      </namespaces>
    </pages>
    <!-- ASP.NET 2 Membership/Profile/Role and AnonymousAuthentication Providers -->
    <!-- anonymousIdentification configuration:
          enabled="[true|false]"                              Feature is enabled?
          cookieName=".ASPXANONYMOUS"                         Cookie Name
          cookieTimeout="100000"                              Cookie Timeout in minutes
          cookiePath="/"                                      Cookie Path
          cookieRequireSSL="[true|false]"                     Set Secure bit in Cookie
          cookieSlidingExpiration="[true|false]"              Reissue expiring cookies?
          cookieProtection="[None|Validation|Encryption|All]" How to protect cookies from being read/tampered
          domain="[domain]"                                   Enables output of the "domain" cookie attribute set to the specified value
        -->
    <anonymousIdentification enabled="true" cookieName=".ASPXANONYMOUS" cookieTimeout="100000" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="None" domain="" />
    <membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="15">
      <providers>
        <clear />
        <!-- Configuration for DNNSQLMembershipProvider:
              connectionStringName="string"               Name corresponding to the entry in <connectionStrings> section where the connection string for the provider is specified
              passwordAttemptThreshold="int"              The number of failed password attempts, or failed password answer attempts that are allowed before locking out a user?s account
              passwordAttemptWindow="int"                 The time window, in minutes, during which failed password attempts and failed password answer attempts are tracked
              enablePasswordRetrieval="[true|false]"      Should the provider support password retrievals
              enablePasswordReset="[true|false]"          Should the provider support password resets
              requiresQuestionAndAnswer="[true|false]"    Should the provider require Q & A
			        minRequiredPasswordLength="int"		          The minimum password length
			        minRequiredNonalphanumericCharacters="int"  The minimum number of non-alphanumeric characters
              applicationName="string"                    Optional string to identity the application: defaults to Application Metabase path
              requiresUniqueEmail="[true|false]"          Should the provider require a unique email to be specified
              passwordformat="[Clear|Hashed|Encrypted]"   Storage format for the password: Hashed (SHA1), Clear or Encrypted (Triple-DES)
              description="string"                        Description of what the provider does
        -->
        <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="SiteSqlServer" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" requiresUniqueEmail="false" passwordformat="Encrypted" applicationName="DotNetNuke" description="Stores and retrieves membership data from the local Microsoft SQL Server database" />
      </providers>
    </membership>
  </system.web>

This is solved, with some help from an imaginative friend who has no experience with DNN but a lot of experience.  In case anyone else gets this error, and to save others from going nuts, here's what it was:

DNN 4.9.5 defaults to HTTPS for admin pages.  Earlier versions (obviously) didn't.

My IIS installation didn't have bindings set up for HTTPS.

I couldn't set up HTTPS bindings, because I don't have a digital cert on my laptop.  (I don't use it for email.)

I've now figured out how to make IIS 7 create a self signed certificate to support HTTPS for test purposes.  If anybody else cares, the Microsoft KB is How to Setup SSL on IIS 7.0.