Subtleties of Denying Traffic

In ISA Server 2004, if you're using custom ports as part of a publishing rule for a protocol, an Access Rule won't be able to block that protocol on a non-default port.

To try to illustrate: 

Say you're Server Publishing RDP for two internal servers using two rules that publish RDP (Terminal Server) Server, one on port 3390 using the Ports button and one on the default 3389.

You want to temporarily disable access to both, so you create an Access Rule specifying to Deny RDP from External to Anywhere, with higher priority than other rules.

And as this is sounding so much like an MCSE question, I think I'll multi-choice the answers!

(the screenshot shows a disabled access rule, but assume it would be enabled.)

Does this solution:

A. Meet the intended objective?

B. Block only the server on the custom RDP port?

C. Block only the server on the default RDP port?

D. Not block RDP to either server?

Show working, and if this doesn't meet the stated objective, propose an alternative solution.

Answers on a postcard or the back of an envelope to this address. Er, or just hit Comment and have a crack.