The default members of project role users can be edited as described here: http://confluence.atlassian.com/display/JIRA/Managing+Project+Roles#ManagingProjectRoles-Specifyingdefaultmembersforaprojectrole

Ok I think that helps, thank you. I'm just reading more about project roles now.

The documentation says:

Jira-users group contains every JIRA user in your system. By default is a member of the 'Users' project role.

So what I need to do is create project roles and groups for each project, assign users accordingly to the groups and this should OVERRIDE the jira-users group permissions that allow all users to access all groups?

(I can't remove users from JIRA-users as they can no longer sign in to JIRA at all, that's in the documentation as well).

You don't need to create a new role. just remove jira-users from the role "users" and add your own group to role "users". Do this in all projects where you want to restrict the users. Also change the default members of role users to empty. Thus each newly project will be safe by default. if you want to make it open, add jira-users to role users else create your specific group and add this role

OK great thanks, I'm working through the help docs so will hopefully get on to permissions soon and post back if I have any queries. Thanks for your helpful input

To understand the security better you should have a look at permission schemes as well. The right to browse issues is defined in the permission scheme. In the default scheme, the role users has this right. Of course one could redefine that to add other roles. E.g one could use a role viewers that only has the permission Browse and nothing else. So users in this role could only view issues but not edit them. There are a lot of possibilities and to master Jira successfully you should get some notion how permission schemes work

Glad if i could help you :)

All under control and fallen in to place now. Thanks very much for your help.

I understand how to solve this by doing what Dieter wrote above. However, I think it's in principle bad that by default users get access to all projects. I now have to remember to remove the jira-users group from the Users role everytime I create a new project. This gives me an uneasy feeling. I'd rather have the users not see a project and complain (which is then easily fixed) than that they can see a project which they're not supposed to see.

I want to lock down access to a project, so I started by removing jira-users from the Users role for that project. As soon as I did that, I could no longer access the project at all. It was no longer listed in Projects > View All Projects. Since I'm a member of jira-administrators, and also a member of the Administrators and Developers role for the project in question, this really surprised me. Is that expected behavior? I'm using JIRA 6.4.9.

Go to Permissions schemes -> for Default Permission Scheme (that is used by each new project) open -> Permissions -> remove group "Jira-users" from Permission "Browse Projects".

You have to define in the projects permission scheme who's able to manage a project. If you set the project role to administrators it should work.