Denying Access Using File ACLs

I ran across an interesting question in a sample exam for the RHCSA:

Configure 4 useres, linus, richard, mark, and bill.  Deny bill and richard access to the /cooks directory.  Allow access to all other users.

Now, because that did not read “allow access to all the other users”, or “allow access to the others users mentioned in this sentence” I took it to mean all other system users.  That presents a problem, how do I allow everyone on the system but only deny two users?  This doesn’t work:

[root@outsider2 /]# setfacl -m u:richard: cooks
setfacl: Option -m incomplete

Instead you can do this:

[root@outsider2 /]# setfacl -m u:richard:0 cooks

Now looking at the ACL:

[root@outsider2 /]# getfacl cooks
# file: cooks
# owner: root
# group: root
user::rwx
user:richard:---
user:bill:---
group::rwx
mask::rwx
other::rwx

And the directory listing looks as such:

[root@outsider2 /]# ls -ld cooks
drwxrwxrwx+ 3 root root 1024 Nov  3 18:48 cooks

Nifty!  An implicit deny using file ACLs.

I think I read too much into the question, but peak my curiosity and I have to figure it out.