I notice in the first two you've put "rewrite_", which I assume is the hex-encoded version of the hostname (like rewrite uses).
For Portal ACLs (aka list items), the resource must be accessed via rewrite, not via LTM+APM mode (which is what the third one would be. Can you identify exactly the URL accessed by the client in each of the 3 cases?
It could be some issue where the Web App is breaking out of rewrite somehow because of an issue with rewrite, or it could be a split-tunnel rewrite sort of configuration.
Alternatively, if you want to mixup this rewrite and LTM+APM type of access, you could just use plain URL ACLs instead of Port ACLs.