Its true that microsoft put lot of effort for security in SQL Server 2005. That way, in sql server 2005 there are two types of fixed roles are provided:
1. Fixed Server roles.
2. Fixed Database roles.
Here, "sysadmin" goes under fixed server roles category, members of the sysadmin fixed server role can perform any activity in the server. By default, all members of the Windows BUILTIN\Administrators group, the local administrator's group, are members of the sysadmin fixed server role.
In genral, "sysadmin" has a "CONTROL SERVER" permission , or else you can try this command in your query window, to list out what all the permissions that "sysadmin" have:
EXEC sp_srvrolepermission 'sysadmin';
moreover, I never tried that denying the permissions to an "sysadmin" fixed server role. But its a good question, I'll look over this.