Windows privileges (examples) are assigned to accounts and groups, and by default the "SERVICE" built-in principal has a couple of privileges assigned, such as the "impersonate user" privilege.
I want to create a restricted account for a service that doesn't have this privilege. Can I somehow set a "deny" rule for this privilege, just like one can use with file ACLs? Or do I have to remove "SERVICE" from the list of SeImpersonatePrivilege grantees to achieve this? (something I'd rather avoid if I can, since this can conceivably break other services)
Edited to correct a brain-cloud-induced conflation of two completely unrelated things into one monstrosity of a question.
No, Windows privileges are completely different from file system ACLs.
You use the Windows API to programmatically adjust Windows privileges. There is no GUI. They are binary; the privileges can be added or taken away, but there's no "Deny" mechanism like there is in NTFS ACLs, etc.
For instance, I needed to import advapi32.dll into my code to access the GetTokenInformation() function, which among other things contains the privileges for an account of a given SID.
I'm not sure that I agree with your assertion that the domain\Users group has the SeImpersonatePrivilege by default. That would fly in the face of any attempt at securing a Windows environment.
Check your local security policy and your domain policies, and expand Computer Config -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment and check the "Impersonate a client after authentication" setting. I do not see the Users group listed anywhere.