query string parameters can be used in access rules, but using recordset variables can be problematic.
you have to make sure that the recordset is created before any security assist code on the page, especially the include reference to the WA_SecurityAssist/helper_ASP.asp page.