Learning from my own mistakes, I wanted to share the following bit about defining security policies for a web application using Central Admin. If you open up the Application Management you see the following section :
Now there is a 'no-touchy' link and 'yes, please touch me link'. The 'no-touchy' link is the 'User permissions for Web Application" link, when you touch and uncheck some options like 'Manage Web Site'. You will experience strange behavior and errors described in some previous posts Self-Service Site Creation and permissions and Permissions and workflow.
Best practice is to leave that thing alone and define your own 'user-permissions for Web Application' using the 'yes, please touch me link' ;)
Once there, click on the "Manage Permissions Policy Levels" (on the left)
Click on "Add Permission Policy level", then you see an overview all the permissions (like in "User Permisisions for web application" link) and you can deny of grant the permissions according to the requirements that you have.
So give it a proper name and description, check the permissions you want to give and click on OK. Next step is to add a group of users (in my case ALL the users) to use that permission level. Click on "Add Users", click Next (you can apply the custom policy to zones here (for example an internet zone on the same webapplication has different permissions that the intranet zone))
Type in the Groupname (or just particular users), check your custom permission level and click on Finish et voila. You've assigned all the users to make use of your custom permission level. Thereby letting all the service accounts use their own permissions levels.