We are starting development on a new customer portal.  Our users will be High-Volume Portal users. Our requirements for granting record access are beyond what the built-in sharing wizards can handle, so we were advised to use apex managed sharing instead.  The problem is that when we have tried doing inserts into share tables (either standard of custom objects), we're getting this error:

System.DmlException: Insert Failed. First Exception on row 0; first error: FIELD_INTEGRITY_EXCEPTION, User/Group ID: id value of incorrect type: --3Z0000006vM70IAU: [UserorGroupId]

This was the code used:

AccountShare accountShare = new AccountShare();
accountShare.AccountId = '001Z00000078hL1';
accountShare.AccountAccessLevel = 'Edit';
accountShare.OpportunityAccessLevel = 'Edit';
accountShare.UserOrGroupId = '003Z0000006vM7O';
insert accountShare;

This error seems to be telling me that you can't use apex to share records with high volume portal users. If we can't do this, I do not know how else we will be able to provide customers with the access they need. I have read over the limitations at https://login.salesforce.com/help/doc/en/customer_portal_about_HVPUs.htm, but those do not explicitly rule out apex managed sharing.

We will not be using the out of the box customer portal.  Ours will be 100% custom apex and visualforce. Our main objects are Account, Asset, Contract (a custom object referencing Account), and Payment (a custom object referencing contract) .  We need the ability for users to view contracts from other accounts other than the account they are listed as a contact under. This is a core use case for us. We also need users to be able to view records from the Payment object that are related to any contract they have access to. The portal sharing wizards do cover these use cases - all they do is give the user access to objects directly related to the account under which they are a contact.

Any suggestions for how to do this sharing would be greatly appreciated.