I'd vote for creating the "executors" role, adding "execute" permission on all the SPs to that and then adding the user(s) in question to the "executors" role.

Maybe "executors" would be a good addition to the model db.

By the way, where's your defensive "is this a real login" check?  Chalk it up to paranoia, if you like, but I'd have a test in there.