I think that basically you have to remove the "deny" rule in all your ACLs, then have one ACL whose job is only to deny.
The following is how I think I would approach this (I have not tested this out). I'm replying because I noticed that your post has gone a day without response, so you could at least try out my idea.
YOu should have one ACL called "deny all" which has only one rule, deny all. Then for each group, An ACL that allows only their specific traffic. Example:
"Allow Network A" rule -> allow traffic for network A.
"Allow Network B" rule -> allow traffic for network B.
"Allow Network C" rule -> allow traffic for network C.
Then for Network A, you assign ACL "Allow Network A" AND "deny all"
Network B will get "Allow Network B" and "deny all".
Then for the group that needs two networks, you will assign "Allow Network A", then "Allow Network B", then "deny all" in that order.