SYSADMIN fixed role will have all and any privileges in the server. Even if you explicitly deny an access to the sysadmin fixed role it doesn't take affect and the bottom line is user with sysadmin role has any access to the server.