Honor the "deny" part of "foobar deny ACL" options - Temporary patch

Honor the "deny" part of "foobar deny ACL" options - Temporary patch

When AuthenticateAcl() and aclMatchExternal() were converted to use extended
authentication ACL states (r11644 and r11645 dated 2011-08-14), the result of
those function calls was set as the current checklist answer.  This was
incorrect because those functions do not make allow/deny decisions. They only
tell us whether the ACL part of the allow/deny rule matches. If there is a
match, the ACCESS_ALLOWED/ACCESS_DENIED answer depends on whether it is an
allow or deny rule.

For example, "http_access deny BadGuys" should deny access when the BadGuys
ACL matches, but it was allowing access instead.