According to one Linux Security book I read, you can have a
ALL: ALL: deny
as the first option in the /etc/hosts.allow file.
Some services like samba have their own tcwrappers interface compiled in, and you want to use the configuration files for the service.
Did you view the webpage on the same machine as the server?
Is the apache service an xinetd wrapped service.
I think that either you started the webserver explicitly instead of doing it from an xinetd interface, you may of bypassed the controls. Or the httpd service isn't one that uses tcpwrappers at all and access should be controlled in the apache configuration file. Or you need to send an 'USR2' signal to 'xinetd' to reload the configuration so that your recent changes take effect. ( HUP for inetd ).
kill -USR2 <xinetd pid>
kill -HUP <inetd pid>
killall -HUP inetd
Verify this by looking in the man page for your system. Some systems use inetd, some use xinetd, some use the USR2 signal, some use HUP.
Also, xinetd on your system may not support tcpwrappers.
From the Xinetd FAQ
Q. Does xinetd support libwrap (tcpwrappers)?
A. Yes. xinetd can be compiled with libwrap support by passing --with-libwrap as an option to the configure script. When xinetd is compiled with libwrap support, all services can use the /etc/hosts.allow and /etc/hosts.deny access control. xinetd can also be configured to use tcpd in the traditional inetd style. This requires the use of the NAMEINARGS flag, and the name of the real daemon be passed in as server_args. Here is an example for using telnet with tcpd:
flags = REUSE NAMEINARGS
protocol = tcp
socket_type = stream
wait = no
user = telnetd
server = /usr/sbin/tcpd
server_args = /usr/sbin/in.telnetd