I normally would not go through the porcess of explicitly denying access, but agree that it probably should be done. I definitely agree that Grant's should only be given to stored procedures, functions, and, I would add select on views.