I think the design is not to have negative permissions. See this very old thread about ACS perms
http://ccm.redhat.com/bboard-archive/acs_design/000KNw.html
I hope its relevant.