Be careful in the Access Groups Manager
Just a word of warning.... When you are using the Access Groups Manager to define your access level groups, be sure that there aren't any "blank" values in the list after your real access level IDs.
In my case I had a group defined "A and B" that would allow access to a page if someone had a user level of "1" or "2". However, unbeknowst to me, somehow a blank value had also been added to the list of user levels in the Access Groups Manager so it was allowing access to someone with a user level of "1" or "2" or "" - which is everyone.
There is no indicator of a null value in the list withing the Access Groups Manager - I only found it by clicking on the space after the last user level.
After removing the null values in the Access Groups Manager the pages using the rule were properly restricted.