Group policy - Software restriction policy not override

We have added a hash rule to software restriction policy to "disallow" user

from executing the Window Live messenger (msnmsgr.exe)

However, we would like to allow certain group of people (ie: Customer

service colleague) to run the Live Messenger, so I created an OU, then add

another hash rule to msnmsgr.exe and set it to "unrestricted", and then put

all customer service colleague in that OU.

But I found that this does not work, it seems that the OU's "unrestricted"

rule does not override the Default Group policy's "disallow" rule. And now

all the customer service colleague cannot access Live Messenger.

Would anyone can help on this ?

thanks