I've hit a wrinkle in my LinkWall installation I confess I don't

Under NDS, we had some pretty simple rules:

1. Allow URL any to any if a member of the CanUseInternet Group.

2. Allow a specified IP address range (our internal network) to Any

3. Deny any to any

4. an Allow rule for the VPN client

5. a Deny port rule, any service, for TCP and UDP

This did what it was supposed to, to the best of my memory.

Now I have this using LinkWall

1. Allow URL any to any if a member of the UnrestrictedInteret Group.

2-4. Deny rules using LinkWall for 3 different groups that function
effectively as Allow rules

5-8 - exactly 2-5 from above as used under NDS.

And I notice a curious thing. I have all my users in one of the four
groups (unrestricted, restricted A, B, and C), but if I take myself out
of all of these groups, no rule now denies me and I can browse
unrestirctedly, as if I was in the unrestricted group - and that
shouldn't be.

I don't know if this is a LinkWall specific thing or just due to a lack
of understanding of how the BM access rules work on my part, but I'd
appreciate any explanation anyone can offer.

Thanks in advance.