Currently http behavior are like this :
In case you blocked (added in deny group) the user in domino server and and HTTP task is configured to obey this setting, (in server document - ports internet ports web- Enforce server access settings: Yes) and if this user try to connect over the web and passed the credential then http task verify the credential first and then look for server access setting available in server security document and provide the error message "HTTP Web Server: You are forbidden to perform this operation"
In case blocked user try to connect over the web and passed the incorrect credential then http task wait till limitation of wrong password attempt texceeded and after that added user in inetlockout.nsf database and provide the error message "authentication failure using internet password: User is locked out"
Expected behavior :
When user access is globally disabled then http server should Identify the user status first whether its active or inactive then verify password and proceed the request further.
In short : http should act on incoming request as follows 1. verify the user status on server 2. verify the credential .