Windows implements filesystem permissions using Access Control Lists (ACLs), which permit setting "allow" and "deny" rules for various types of access, for users and groups. It's generally best to avoid deny rules where feasible and use only allow rules to express the desired set of permissions.
ACLs can be set interactively by an administrator (or by a non-administrative user, for filesystem objects owned by that user) using Windows Explorer. However, as with other administrative tasks, we recommend this be scripted using Powershell or another scripting language so it can be saved and repeated if necessary.
If user accounts have been created for Enterprise Server processes, and application programs and data files have been organized into their own filesystem trees as recommended in Hardening filesystem permissions, then it should be straightforward to set the appropriate permissions for those accounts. Ensure those accounts are not members of groups with excess permissions (such as Administrators). Set inheritable ACLs granting the desired degree of access on the root directories of the trees containing programs and data files.