There are two sides to a router... The inside... and the outside... The inside is the network portion, and the outside is the tunnel/internet portion. If a device is running security, it will talk to you usually, but will not let you in. Just like a guard at a door/booth. If they have a "no soliciting" policy where-ever you are trying to sell your girl scout cookies, the guard will tell you no, and respond to your questions, but he won't let you anywhere past him... Same thing here... Let's use your MSN trace as an example:
Tracing route to msn.com [207.68.172.246]
over a maximum of 30 hops:
1 31 ms 31 ms 31 ms hsa001.pool030.at101.earthlink.net [216.249.99.1
]
2 30 ms 31 ms 30 ms 216.249.64.33
3 30 ms 31 ms 30 ms cor01-vl-228.ca-pasadena0.ne.earthlink.net [207.
217.2.129]
4 31 ms 31 ms 31 ms bor01-ge-1-2.ca-pasadena0.ne.earthlink.net [209.
165.101.1]
5 46 ms 31 ms 46 ms bor01-so-6-1.ca-sanfranc0.ne.earthlink.net [209.
86.82.66]
6 35 ms 31 ms 30 ms 209.165.103.2
7 30 ms 31 ms 31 ms bor01-vlan10.ca-paloalto1.ne.earthlink.net [209.
165.108.166]
8 30 ms 31 ms 31 ms 209.165.108.170
9 30 ms 30 ms 30 ms pos0-0.core1.pao1.us.msn.net [207.46.33.45]
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
Notice the last point you get a response. That is because each step is one step closer to your goal. You talk to the outside of the router "pos0-0.core1.pao1.us.msn.net", but when you try and talk to the next device, nothing happens. Odd? Not really. The router we just mentioned, step #9, is blocking your ping request from going past that point. If it was your firewall, you wouldn't be able to ping past it. For example, if you bring up Zone-Alarm (which has built in notifications), have in running in full-protect mode, and ping out, a pop up windows will ask you "Do you want to let ICMP ping access the internet", and it will give you file details and other info. A regular firewall doesn't have pop-ups unless it's a potential attack, and just logs the security violation/action, so you will not see anything other than no return.
Now... This explains why you can ping MSN, but not why you cannot download. Because though the ICMP protocal may be blocked, MSN provides quite a few other services, and they should not be blocking thier own services. On that note, it is possible that earthlink(or something else) is blocking portions of MSN, which may or may not be further into the MSN domain than you got to (step 9). Tho you can see in step 1-7 that the earthlink routers pass the packet, step 8 is a public unlabeled router, and passes it to 9 which responds. One I always use for testing is honda.com. Just because.
My MSN tracert:
Tracing route to msn.com [207.68.172.246]
over a maximum of 30 hops:
1 10 ms 9 ms 7 ms 10.73.32.1
2 9 ms 7 ms 7 ms 10.73.32.1
3 9 ms 11 ms 7 ms 172.30.101.81
4 7 ms 7 ms 7 ms 172.30.101.122
5 10 ms 7 ms 7 ms 68.48.0.50
6 9 ms 9 ms 9 ms 12.126.168.5
7 10 ms 9 ms 9 ms tbr1-p012201.wswdc.ip.att.net [12.123.9.74]
8 27 ms 28 ms 25 ms tbr1-cl4.sl9mo.ip.att.net [12.122.10.30]
9 70 ms 70 ms 69 ms tbr1-cl2.sffca.ip.att.net [12.122.10.42]
10 70 ms 69 ms 70 ms tbr2-p012501.sffca.ip.att.net [12.122.9.138]
11 85 ms 83 ms 84 ms 12.122.12.114
12 88 ms 86 ms 85 ms gar1-p360.stwwa.ip.att.net [12.123.203.169]
13 80 ms 80 ms 80 ms 12.127.70.6
14 83 ms 83 ms 81 ms 207.46.33.225
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.pushed ctrl-c here to cancel before it wasted time counting to 30
You can see that in step 14, my first the octets -> 207.46.33.xxx are the same, and it is just the final IP that is different. Same thing, different direction. MSN has blocked this access point, because that it what it would be if it was open. An access point into their network.
Now webservers are different, because they are a little more lenient.
www.honda.com only has web files, no ftp or news or super-duper corperate stuff. Only web stuffs, and so they will let you ping to your hearts content:
Tracing route to www.honda.com [164.109.25.248]
over a maximum of 30 hops:
1 8 ms 8 ms 9 ms 10.73.32.1
2 9 ms 7 ms 8 ms 10.73.32.1
3 9 ms 7 ms 17 ms 172.30.101.81
4 7 ms 7 ms 8 ms 172.30.101.122
5 10 ms 7 ms 7 ms 68.48.0.50
6 9 ms 9 ms 10 ms 12.126.168.5
7 2666 ms 1866 ms 68 ms tbr2-p012301.wswdc.ip.att.net [12.123.9.78]
8 9 ms 12 ms 9 ms ggr1-p3100.wswdc.ip.att.net [12.122.11.238]
9 9 ms 9 ms 9 ms att-gw.dc.uu.net [192.205.32.162]
10 9 ms 9 ms 10 ms 0.so-3-1-0.XL1.DCA6.ALTER.NET [152.63.38.118]
11 9 ms 9 ms 9 ms 0.so-6-0-0.GW6.DCA6.ALTER.NET [152.63.41.221]
12 12 ms 12 ms 11 ms digex-gw.customer.alter.net [157.130.214.102]
13 10 ms 12 ms 12 ms vlan39.dca2a-fdisa-sw1-msfc1.netsrv.digex.com [
64.109.3.149]
14 12 ms 12 ms 12 ms 164.109.87.251
15 12 ms 12 ms 12 ms 164.109.25.248
Trace complete.
So if a router will not respond, your ping will not pass through, and you will get a host unreachable, or a TTL failure (time to loss, everytime a packet hits a router, this TTL, usually around 225, counts down, until it gets to 0. After it hits 0, the next router it gets to will trash it).
Very long explanations to say, there is probably something much simpler going on. Are you running Zone Alarm? Are the sites you're trying to access blocked in IE for security or privacy reasons? To check go to IE, clock on tools menu, then options. And verify under security and privacy, that access and cookies are not blocked for both of these sites. Also if running Zone Alarm, verify cookies handling stuff there under the privacy menu. Another good indication is if you get an odd eyeball or hazard icon in the lower right hand corner of your browser on the status bar (to the left of the *world and the word "Internet"). Clicking on this will tell you what has been blocked for privacy or otherwise usually.
Hope thats not too much info. 
Facebook
Twitter