The Order Directive

The rules order deny,allow and order allow,deny define in which order the deny from and allow from directives are processed. All allow and deny rules are processed, with the final relevant rule overriding any previous rules. See the Order Directive section of the mod_authz_host module documentation for confirmation.

Note that all Allow and Deny directives are processed, unlike a typical firewall, where only the first match is used. The last match is effective (also unlike a typical firewall). Additionally, the order in which lines appear in the configuration files is not significant -- all Allow lines are processed as one group, all Deny lines are considered as another, and the default state is considered by itself.

For example, if we process the deny rules before the allow rules, we can effectively creating a whitelist of allowed IP addresses.

order deny,allowdeny from allallow from 127.0.0.1

Conversely, in the following example, we process the allow rules, before the deny rules, for a blacklist of denied IP addresses.

order allow,denyallow from alldeny from 127.0.0.1

Inheritance

Subdirectories will inherit the rules of parent directories, unless they declare their own rules. If a subdirectory uses either an order directive or an allow/deny directive, the rules from the parent are not inherited. See Bug 52406 which refers to the Merging of configuration sections section of this document, for confirmation of this behavior.

For modules that don't implement any merging logic, such as mod_access_compat, the behavior in later sections depends on whether the later section has any directives from the module. The configuration is inherited until a change is made, at which point the configuration is replaced and not merged.

Simple Test

You can also do this simple test to confirm this behavior.

Put the following lines in the parent directory .htaccess.

order deny,allow  deny from all

And any or all of the following lines in the child directory .htaccess.

order deny,allow  deny from 0.0.0.0

You will see the the child directory is now publicly accessible, even though the parent directory contains deny from all and the child directory has no allow from directives.

Conclusion

Based on the documentation and experimentation, it seems that it is impossible for a parent directory to override a child director's directives in any way.

UPDATE

Using deny, allow directives is deprecated since Apache 2.4 as mentioned here.
So now the right directive that allow all access would be

Require all granted

And to be able to revoke access to a given IP

Require all grantedRequire not ip 10.345.67.892