Master, thank you for reply.

I undesrtud almost every thing, but i have a dought about the SQL Server service and the SQL Server agent service account.

As i told. I don't want that ANY windows login (domin users or domain admins) can access SQL Server. This, you told me how do i achieve, but suppose that i create a user account in the domain controller named SQL1 this account will be the account with wich the SQL Server service and the Agent service will run.

Do i need to give specific permissions on SQL to this account? why?

This user is a domain admin , so it as all the previlegies inside the OS (w2k3) of the box where SQL Server is installed and on the network, why does it need to have permissions inside the SQL Server? does it make some tasks to in the databases?

If it's this way, than i cannot CUT the permissions to ALL windows account in SQL Server, i still have to give permissions to this account (SQL1).

Is really it necessary?

Thank you.