Yes... that is the correct way... nice work.
Actually that is the correct logic to deny all rules you wish to restrict against first - because if your allow statement is first, it will become "true" before the other statements actually would be factored in. And if you want to ensure that a user has all of the credentials needed and not just one... you first would try to negate all others and then confirm the final.
You could even add another layer of protection to an admin section.
Say for example, you set your default access level in your database to "user". But you wanted to ensure your admin section required the credentials of active and admin. You could create a rule set where you first restrict if their account is not active (set to 0)... then restrict if their access level is set to user... then allow if their access level is set to admin.
Maybe a bit over the top, but there is no way that someone gets in by accident.