Can you do a rule engine trace for that site? There is nothing happening in the backend that your rules don't tell it to do, we just need to find out what the rules are saying.
You will need to enable the trace. This should be at the top of your rule sets, and is generally best to have it specific to the site or user in question.
There is an article about how to use them (7.3.2 and later) here. Before that version, you need to manually read through the XML output.
In 7.3.2 and later, I'm led to believe that it's even more fun than that... I don't think you need to touch the policy to do a rule trace (which is really nice). Or did I hear that incorrectly?
You are correct, the new rule engine tracing doesn't need to modify policy. You just enter the IP address of the client you want to trace.