I'm trying to create a rule that will allow web traffic to a class B

First rule:
I have Action - Allow, Source - Any, Access - HTTP Proxy, Desitanation -
Specified IP list; The Destination List correctly lists the subnet (e.g. I currently have origin server port 80 to 9998
for testing.

Second rule:
I allow some specific URLs. Action - Allow, Source - Any, Access - URL,
Destination - Secified URL list.

Third rule:
Dropping all other web traffic for a test user. Action - Deny, Source -
user.ou, Access HTTP proxy, Destination - Any

Last rule:
Allow all other web traffic. Action - Allow, Source - ou, Access - HTTP

Behavior - Logging on as test user (user.ou). User can browse specified
URLs in second rule, cannot browse sites with IPs in subnet specified in
first rule. Only websites allowed seem to be sites specified in URL list in
rule 2.

I'm using craig's proxy.cfg... Seems like this used to work in the past. Am
I missing a setting or completely missing the boat on how these rules are
supposed to work.