jdMorgan - 2:05 am on Apr 5, 2010 (gmt 0)
BY not specifying an "Order" before starting the Deny/Allow list, you leave the function of your deny list "depending on the mercy" of the server configuration -- and who knows what is in that file... The server config may contain several Order directives, with each enclosed in a different container which makes it conditional upon some request-related factor (see the code I posted above for examples). What those factors might be in your server config files, we can only guess -- And that is the problem: Your Denies need to be applied unconditionally.
I would suggest that adding an "Order Deny,Allow" directive should be your first/next step.