We are evaluating NextLabs EntitlementManager to restrict the users belong to some security groups toaccess selected site collections with sensitive information even these users have been granted the permission through individual account, any AD groups, or email list groups. After we have set up the policy and restrict the access to a list, we found it block the access for many clients but not for REST client.
The list we try to block is http://serverURL/dept/Firethorn/IT/Lists/Harry/AllItems.aspx. After the deny access policy has been applied to the list, you will get the following error message when you try ace the list from SharePoint UI.
Even the message is not user friendly, it has block the access based on the policy. However, when you try to access the same list through REST web service http://serverURL/dept/Firethorn/IT/_vti_bin/listdata.svc/Harry, we are able to ace the content as in the following screen shot.
This seems to be a bug and we are working with NextLabs to identify the way we could block the list and library access from REST web service when the deny access policy applied.