1. Obviously creating a specific group for adding people to restrict certain access is one method.
2. Is the Viewer group not sufficient.
3. In the short term it could just be an idea to remove the person from the specific project. The user still exists in the QC list of users just not assigned to a project, so adding the user back in is very straight forward.
As Yak stated, the best you will be able to do is remove all groups but viewer, which will ensure no changes from the account will happen, but it does not prevent them from logging into the project and seeing the information.
The only way to ensure they cannot access the project at all is to remove them from the project users list. You can always re-add them at a later date if they join the project again.
Insanity: doing the same thing over and over again and expecting different results