ok i think i'm following along; i created a brand new database in SQL 2005, and ran the following script to generate the revoke statements; i think the difference for me is i'm specifically getting the schema name of the objects as well, and that is allowing me to drop access to things like sys.all_columns:
--CREATE DATABASE [SandBox]
GO
USE [SandBox]
SELECT
'REVOKE ' + convert(varchar(50),x.[Action])
+ ' on ' + x.[Schema]
+ '.' + convert(varchar(50),x.[Object])
+ ' TO ' + convert(varchar(50),x.[User]) COLLATE Latin1_General_CI_AS
FROM (
SELECT
u.name COLLATE Latin1_General_CI_AS AS 'User',
schema_name(o.schema_id) As 'Schema',
o.name COLLATE Latin1_General_CI_AS AS 'Object' ,
p.permission_name COLLATE Latin1_General_CI_AS AS 'Action'
--into tmp
FROM sys.database_permissions p, sys.database_principals u, sys.all_objects o
WHERE o.object_id = p.major_id
AND p.grantee_principal_id = u.principal_id
AND p.grantee_principal_id IN (0, 2)
) X
Lowell