SQL Server rights are pretty easy to work with most of the time. You grant a bunch of rights to an object, then you deny rights to those objects and the user looses the rights. Pretty easy. Now the catch is that if you use the fixed database roles, those roles overwrite any denies that are in place.
So if you deny a user access to a bunch of tables, then you put that user into the db_datareader fixed database role that user will have select rights to all the tables in the database, including all the tables that the user has been denied access to.