Deny overrules grant, so if you add someone to db_datareader and db_denydatareader, they will not be able to read anything.
As for db_owner, test and see. (can't recall offhand whether db_owner behaves like sysadmin w.r.t. permissions)
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
We walk in the dark places no others will enter
We stand on the bridge and no one may pass