The danger is that overlapping configuration is inconvenient. So after some time, the users are irritated with such kind of setup, and they throw out default-deny protection.I have to confess, I even have CFW (with CS settings) running on there - though I have disabled Auto-Containment now while playing with H_C.
Most likely will just keep H_C. Oh, and OSA (some overlap, I know).
With default-deny, is better to keep things as simple as possible and try to accustom to it, first. Even a very simple default-deny is very strong.