Hi

I had a quick look at your design.

First of all, as your distribution switches will act as default gateway, you don't need to setup an IP for all vlans on each 2960 access switches. You can remove those SVI for vlans 20,30 and 40.

You can just keep vlan 1 as management vlan. Be careful on the default-gateway you configure on access switches. It should the HSRP VIP ip of your vlan 1. Those switches will act as Layer 2 that means there aren't gonna do any routing.

On your distribution switches, the hsrp config has to be the same on both switches. Only the priority will change.

This is your config:

### DISTRIBUTION 2 ###

interface Vlan40
description Sales
mac-address 00e0.a39d.cd04
ip address 192.168.40.2 255.255.255.0
standby 0 ip 192.168.40.101
standby 0 preempt

### DISTRIBUTION 1 ###

interface Vlan40
description Sales
mac-address 00d0.583a.1204
ip address 192.168.40.6 255.255.255.0
standby 40 ip 192.168.40.100
standby 40 priority 150
standby 0 preempt
!

The config should be:

### DISTRIBUTION 2 ###

interface Vlan40
description Sales
mac-address 00e0.a39d.cd04
ip address 192.168.40.2 255.255.255.0
standby 40 ip 192.168.40.100
standby 40 preempt

### DISTRIBUTION 1 ###

interface Vlan40
description Sales
mac-address 00d0.583a.1204
ip address 192.168.40.6 255.255.255.0
standby 40 ip 192.168.40.100
standby 40 priority 150
standby 400 preempt
!

In terms on access-list, I will write down the acl to allow only host 192.168.40.22 to access http, deny all others accessing this server in http and allowing every other protocols. This acl will be applied on your router called Border Router on interface G0/0:

ip access-list extended 190

 1 permit tcp host 10.0.0.18 eq 80 host 192.168.40.22

 2 deny tcp host 10.0.0.18 eq 80 any 

 3 permit ip any any

!

interface g0/0

 ip access-group 190 in

Hope that answers your questions.

PS: Please don't forget to rate and mark as correct answer if this answered your questions.