SurfControl SP1

In my access control rules, I have a Deny rule based on selected
SurfControl categories. This rule applies to 'Any'. A few rules belowthis one, I have an Allow rule that applies to the NDS group,
WebFullAccess, and as the name implies, allows members of this group
to access any URL. This rule is the last (bottom) access rule. The
idea behind this is that if someone (regardless of which group they
belong to) attempts to go to an inappropriate URL, SurfControl will
block it. IF SurfControl doesn't block it AND they are member of
WebFullAccess, THEN they can get to the site. I am noticing that users

who are not members of WebFullAccess are getting blocked to certain
URLs that members of this group are not getting blocked from. To me it

seems as if the access rules are getting read from bottom to top
instead of top to bottom as I understand they should be. What am I