If you want to implement a no-access default, a single instance of this attribute will do it. This denies all service to all hosts, unless they are specifically permitted access by icsDomainAllowed attributes.
icsDomainNotAllowed: ALL:ALL