You can't restrict the rights of a member of the sysadmin role: membership of that role results in a login bypassing virtually all security checks. If the login isn't a member of the sysadmin role then you've got free scope to use the other roles to limit its rights at the server level.

Similarly the dbowner role gives virtually unlimited rights within the scope of the individual database, but if the login is not a member of the dbowner role then you can tie down quite specifically what rights the login has within a given database.

One quick word of advice. I've had to tie down a login's permissions a couple of times. I found the GUI to be very easy to set things up once if you knew exactly what you wanted from the start, but it's a terrible way to experiment with different settings (it's also easy to forget a step if you're doing more than one: at least you've only got one login to worry about). If you expect this to take some experimentation I'd recommend scripting everything that you do: you'll find it much easier to make changes and review different iterations.