Have a 6506-E with SUP-720 running s72033-pk9sv-mz.122-18.SXD6.bin
I have traffic coming in on two devices connected to GigabitEthernet1/9 and 1/10 which 'should' exit on interface GigabitEthernet2/36 due to a static route.
However if GigabitEthernet2/36 were to go down due to a fault the static route would drop and the OSPF would force the traffic up GigabitEthernet2/48 which is connected to a much slower device which won't handle the traffic.
I've set the static route to 'permanent' so that even if GigabitEthernet2/36 goes down OSPF shouldn't re-route the traffic, but I wanted 'belt and braces' to apply an outbound ACL on GigabitEthernet2/48 to prevent the traffic trying to go out that way.
However the switch refuses to take the command 'ip access-group 101 out'.
It will accept 'ip access-group 101 in' but not 'out'.
I do understand about complying with change control. So further investigation may need to wait for another time.
I have done some searching and now have a better understanding of what you were seeing in on line help. And "ip access-group in" turns out to be valid on the layer 2 interface. To explain that let me point out that (depending on the version of code that you run on 6500) there are multiple types of access lists. The familiar access lists are the router access lists which are applied to layer 3 interfaces to filter routed packets. There are also VLAN Access Lists (VACL) which can be applied to VLAN interfaces and can filter traffic being bridged through the VLAN. And there are Port Access Lists (PACL) which are applied to layer 2 ports - but only in the inbound direction. So ip access-group in is how you apply a PACL to a layer 2 interface.
Here is a link which has good information about these different types of access lists:
I am not clear whether a PACL would help solve your problem, but you should take a look and see what you think.
 I am glad to see that while I started my response and was doing my search that Jon posted explaining the feature also. What a neat place this forum is.
Switches support port acls which is a router acl applied to a L2 switchport but it is only supported in the inbound direction so you cannot apply them outbound. This is why you only have the "in" option when dealing with a L2 switchport.
If you want to make sure traffic cannot use the OSPF link then i would suggest if possible moving the OPSF link into a different vlan than vlan 10 then using PBR on vlan 10 interface to route the traffic for the specific 2 machines via your chosen link and if that fails route the packets to the null interface. You would not need the static route if this was your approach.
Edit - i forgot to mention that upgrading IOS wouldn't help. Port acls can only be applied inbound to L2 switchports