Your denied rule should use groups.
Set the denied rule as:
Value: <?php echo $_SESSION['UserID']; ?>
Criteria: In Group
Next to the groups list, click the button to create a new group. Name the group "Allowed", and add the values 1 and 2 as group members.
after creating the group, select it in the list for the denied rule.