AI OnAI Off
No, it should not work like that.
I might be wrong, but I think that access rights are aggregated so that if the user herself or any of the users roles gives a certain access level (say Publish), that access will be granted. Or conversely, you can not limit the access rights a user inherits from one of her roles by revoking the access for the user specifically.
I have site using active directory membership and role provider.
If an individual user has more rights to a page than a group the user is in, the users rights are ignored. Is this correct and can it be changed in any way?