I believe, if I remember correctly, that DENY always takes precedence. You have to configure it around the HTTP.