Does a deny action on a rule always take precedence?
Yes. However, AppLocker contains a feature that allows you to state exceptions to a deny action on a rule. Rule exceptions, which can be applied to the deny or allow action, permit you to specify files or folders to exclude from the rule. For example, a rule can be created to allow the Everyone group to run any application in the Windows folder except regedit.exe. Another rule can be created to allow the Helpdesk group to run regedit.exe. However, if there was an explicit deny action on regedit.exe, then no other rule permitting the Helpdesk group access to regedit.exe would supersede that rule.