Deny rules always appread before the allow rules. So if you e.g. allow myhost.com:80,443/abc/* and want to exclude myhost.com:80,443/abc/noaccesshere/* then this rule needs to appear before:

1.) Deny: myhost.com:80,443/abc/noaccesshere/*

2.) Allow: myhost.com:80,443/abc/*

But if you exclude everything for a ressource and want to allow something included in the deny ressource, the allow rule will be in the first position:

1.) Allow: myhost.com:80,443/tobeallowed/*

2.) Deny: myhost.com:80,443/*

If something is neither allowed nor denied will be denied by default - similar to the "cleanup" rule you describe.

Sry I can't help you with the autorulestuff, because I rarely use the, instead I prefer defining the rules my own, so that I always know what's happening (and in case I am doing sth. wrong I am cheating from examle autorules, e.g. with this citrix stuff ).

But I guess that they are alway on top to always keep them working, so that they might not be influenced by manual rules.

well the thing is, the autorules are not always on top, but always on the bottom...

anyone?

Well, you could approach your SE for an Enhancement Request (ER). I think you have identified how the SA works, you just think it could do it better.

From my perspective, you could (1) accept the fact that there is an implicit "deny all" at the end of the policies or (2) not use the automatic policies, creating all policies manually - and then have the freedom to move them anywhere you want in the list.