i think it's the usual; there's no easy way, but you can use the metadata to build your commands to add everyone to a deny everything group

something like this is what i think off of the top of my head.

CREATE ROLE [NoAccessForYou];

ALTER AUTHORIZATION ON SCHEMA::[db_denydatawriter] TO [NoAccessForYou];

ALTER AUTHORIZATION ON SCHEMA::[db_denydatareader] TO [NoAccessForYou];

CREATE ROLE [OnlyReadAccessForYou];

ALTER AUTHORIZATION ON SCHEMA::[db_denydatawriter] TO [OnlyReadAccessForYou];

ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [OnlyReadAccessForYou];

declare @Batch varchar(max);

SET @Batch = '';

SELECT --@Batch = @Batch +

'EXEC sp_addrolemember N''NoAccessForYou'', N''' + name + ''';' + CHAR(13) + CHAR(10),*

FROM sys.database_principals WHERE type_desc IN('WINDOWS_USER','SQL_USER') AND principal_id > 4 ;

print (@Batch);

--exec (@@Batch);

EXEC sp_droprolemember N'NoAccessForYou', N'TestUser';

EXEC sp_addrolemember N'OnlyReadAccessForYou', N'TestUser';

EXECUTE AS USER='TestUser';

--do stuff

--change back into superman

REVERT;

--clean up after ourself:

DROP ROLE [OnlyReadAccessForYou];

DROP ROLE [NoAccessForYou];