Environment:
NW51SP5
BM37SP1
SurfControl SP1

In my access control rules, I have a Deny rule based on selected
SurfControl categories. This rule applies to 'Any'. A few rules below
this
one, I have an Allow rule that applies to the NDS group,
WebFullAccess,
and as the name implies, allows members of this group to access any
URL.
This rule is the last (bottom) access rule. The idea behind this is
that
if someone (regardless of which group they belong to) attempts to go
to an
inappropriate URL, SurfControl will block it. IF SurfControl doesn't
block
it AND they are member of WebFullAccess, THEN they can get to the
site. I
am noticing that users who are not members of WebFullAccess are
getting
blocked to certain URLs that members of this group are not getting
blocked
from. To me it seems as if the access rules are getting read from
bottom
to top instead of top to bottom as I understand they should be. What
am I
missing?