When you say internal users could get to the web server, were they going to the server's real internal address or the outside NAT address? If the internal address that is very different from trying to hit the NAT address from the inside.
If your web server initiates a connection it will use its own static NAT address for that by default and no Hide NAT rules will be used if you employed Automatic NAT setup.
Once the first packet of a new connection is received and accepted, the needed NAT rule(s) are matched and the NATting for that connection cannot change even if the relevant NAT configuration is modified and policy reinstalled. New connections will of course use the new NAT configuration, I think this is part of what happened to you. My guess is that Accept and NAT templates were formed in SecureXL for some kind of prior incorrect NAT configuration for the webserver and the inbound traffic to your web server had minimal inspection so it was fully accelerated by SecureXL and still using the incorrect configuration. Your outbound traffic was probably subject to more inspection (APCL/URLF, TP, etc.) and either Accept templates could not be formed or the traffic could not be fully accelerated for some other reason so it hit the updated rule config in F2F and worked.
When you ran fwaccel off Accept/NAT templates were disabled and any new inbound connections then ran through the updated NAT rule base and started working. However keep in mind that when you run fwaccel off in R80.20+ it only applies to NEW connections; similar to the situation I mentioned above involving NAT rules existing connections will continue to be handled by SecureXL.
This is particularly problematic with web browsers who love to keep speculative connections open to web servers you have visited recently, and are not opening actual new connections when you refresh that will be subject to your new configuration or bypass SecureXL. When testing something like this, always be sure to close all browser windows (or better yet switch to a completely different browser type) to ensure all speculative connections are closed as this can cause some really flaky-looking behavior.
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com