All users have connect permissions only

Role has execute permission - and user is part of role - this is how they are granted execute permissions -via this role

Role has deny execute on 1 sp only - which isn't used in this scenario

there are no permissions against tables directly