In the Security Editor, I explicitly denied Read rights for a user to an item. In the Access Viewer, I am able to verify that Read rights for this user and this item are denied.
As this user, when I open the item's page in my browser, I can see all the content. I would expect a 404, but I can just see the page.
I verified that it's definitely the same user and the same item by placing some temporary debug info in my layout page:
user is @(Sitecore.Context.GetUserName()) - item is @(Sitecore.Context.Item.ID) - can read: @(Sitecore.Context.Item.Security.CanRead(Sitecore.Context.User))
This informs me that the user indeed has Read rights for this item, even though both the Security Editor and Access Viewer that these rights have been denied.
What could possibly cause a difference between what I see in the Access Viewer and what I get from Sitecore.Context.Item.Security.CanRead?
(Yes, I also recycled my app pool several times to make sure that no kind of caching is applied.)
Access right information is stored on the item itself.
Make sure that you published the page.
Remember that you can switch database from Sitecore Desktop to web, start Access Viewer and see access rights information for web database there.