fails when confronted with a number with an international dialing prefix, or any non-US number.
By design! I usually work on apps that are only deployed to US users. The more interesting thing I forgot is, this is valid: (((((919) 555-1212. Unlikely to happen in the real world (eg real users doing real data entry), but it's a flaw.
fails when confronted with the e-mail address form (user@domain) or a forward-slash form (user/domain)
Again by design. The only goal there is to parse the LOGON_USER http header, which is always in that format AFAIK.
It's dealing with all this that makes reg-exps hard.
No, trying to solve all known conditions in a single regexp, as you're implying, is what makes them "hard". It's simpler in a lot of cases to break your testing into 3-4 different regexps, with comments, rather than one Uber-regex that God himself can barely decipher.
Like I said, it's a balancing act.