Great question, for now you'll have to look at these files:
Those are any globally disabled rules.
Those are any disabled rules for specific vhosts.
In the future this will all be visible in the GUI and we're planning big changes in the way the rules are managed and displayed too, including classes (which have overlapping rules, so you could disable all PHP rules, or just PHP-SQL rules, etc.) We're going to roll classes out where it makes the most sense for things like the spam rules, so you can say "disabled all gambling rules for this vhost". In the longer term we'd like to expose spam rules to domain owners, but thats a big lift and change in the auth model so theres no timeline yet on that feature. Its something we have to think very carefully about as we dont want a domain owner to be able to disable rules that protect the server, and then open your box up to full compromise.