First, you should *not* need to use any DENYs unless you've already given your user implicit permissions that you need to override explicitly. And in general you do not want to use DENY unless you absolutely have to because it really tends to provoke unintended side-effects.

The Database permission CREATE TABLE does allow a user to Create Tables, but, it alone does not give them any access to any of the schemas within your database. If you also give the user the ALTER permission on a schema, then the two permissions in combination will allow them to CREATE TABLE in that schema. But they can *only* create tables and *only* within that schema.