If you omit the "everyone" group from project-level permissions altogether (just don't include them, rather than setting them up as "denied"), won't that only grant access to those groups/users you add to the permissions for that project?
I have many groups on Server (although I am not using Active Directory), and often have users in multiple groups, but when I set up projects, I only add groups that I want to be able to access that project--I don't have to set any groups to have "denied" access--simply adding those groups I DO want sets up what I need.
I may not be understanding the problem, though. This is just my two cents, and I'm hoping I can learn something from your question.
Yea, so far that seems to be exactly what I needed to know. Thank you!