Rule order matters -- I'm guessing that since Global Whitelist is above Site Review it's taking precedence, but once you move further down the rule set, the SiteReview rule set kicks in. Not entirely sure how the connection is getting there since the top-level criteria on SiteReview doesn't indicate that you should get there unless SiteReview has been implemented, but what you coud do is enable rule tracing for your client IP address @ the very top of the rules and then review the path that the connection takes. Another option would be to create a log file that gets written when you set a specific user-defined property and configure that log file to write out String.ReplaceIfEquals(List.OfString.ToString (Rules.FiredRules.Names), "" "-"). Then set the property for your client IP and MWG will log the path through the rules that the connection takes.
Another possibility is that Global Whitelist is using slightly different criteria than URL Whitelist and URL Whitelist simply isn't matching on the connection -- that would suggest that you would fall down into your Block URLs rule and I'm guessing that the Event there might redirect to Site Review, but without rule details, I can't be sure.
Yes you are right. HTTP Request going through your rule set from top to down. So if your request matches in the Site Review Rules they will worked on there.
Also you might want to check for the correct usage of the URL Properties here:
Best Practices: Creating URL related list entries
And keep in mind to clock the Show Details button to make it more easier to understand your ruleset