Access Restrictions allows you to create a set of rules that govern internet access to machines on your network. You can create rules that govern access by individual IP or MAC address, IP address range, time-of-day, traffic type, URL and keywords, etc.
You can create up to 10 sets of rules, with each set of rules being referred to as a policy. A policy can contain multiple individual rules, such as filtering a specific machine access to a particular web site, and/or filtering access to certain unwanted P2P protocols.
Remember that all policies will be used (this is different than in factory Linksys firmware where only the first matched is used)! For example, if policy #1 is a Deny policy that restricts all internet access to a machine on your LAN, that machine will no longer be able to access the Internet, regardless of any Filter policies you might have. Note: The term "Filter" is erroneously labeled as "Allow" in earlier versions of DD-WRT firmware. This is the main source of confusion when dealing with access restrictions in DD-WRT. See Eko's forum post for more information.
The Filter option is used to block access to web sites, services, or keywords. However, it does not block internet altogether like the "Deny" option does. Nor does it allow internet access during times that a Deny policy denies it.
If you will notice, when you click the "Deny" button (instead of the Filter button), those extra options at the bottom of the page get #404040ed out (at least in newer dd-wrt versions). This is because filtering a web site, service, etc. in a Deny policy is pointless since the machines in the policy would be denied internet access anyway!