Default deny is a great method and I've been using it for a long time. I'm not sure where your Web access brainstorm comes from but it has no place in a security strategy of default deny. Default deny is very very simple. Either you are a trusted IP or you aren't. Every security strategy has weaknesses. Default denies biggest weakness is that it isn't flexible. But it's biggest strength is that it can massively restrict the amount of potential connectors to a system.