All users have connect permissions only
Role has execute permission - and user is part of role - this is how they are granted execute permissions -via this role
Role has deny execute on 1 sp only - which isn't used in this scenario
there are no permissions against tables directly