Extending Sites and Security

I am working with v2.3.1 of Essentials and have enabled integrated security for the site as per the Geocortex Administrative doc.  My providers are using ActiveDirectory providers.    I have three sites configured at the moment. SiteA - No Security, 1 map resource added SiteB - Extends SiteA with Seucurity defined. SiteC - Extends SiteB   SiteA works as expected.  Everyone can get in and see what they need to.  No security specified   SiteB works as expected as well.  I have denied access for a user (UserA) to that site and that user is not allowed into the site.  For another user (UserB) I have denied that user have access to a layer and when viewed, that layer is not visible for them.   Auth File looks like this: < Authorization xsi:noNamespaceSchemaLocation= "../../Authorization.xsd" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" >

 

   < Site ID= "SiteB" >

 

     < ViewPermission >

 

       < Allow Users= "domain\UserB" / >

 

         < Deny Users= "domain\UserA" / >

 

     < /ViewPermission >

 

   < /Site >

 

   < Layer Name= "Streets" MapResourceItem= "TestService" >

 

     < ViewPermission >

 

       < Deny Users= "domain\UserB,domain\UserA" / >      < /ViewPermission >

 

   < /Layer >

 

< /Authorization >   SiteC is odd.  1st - If I look at the Security settings in Essentials it doesn't show security being enabled.  Should it not be enabled from the parent site (SiteB) as ot extemds that site? 2nd - The user I had denied (UserA) in the authorization file for SiteB can get into SiteC.  This makes some sense seeing it looks like SiteC does not have security enabled. 3rd - A wrench gets thrown in in that UserB (the person I denied access to a layer in SiteB's auth file) cannot see that layer in SiteC.  UserA also cannot see this layer.   So either only part of the security is working when it should or some part of security is working when it shouldn't.   What is Latitudes expected functionality of this?