AFAIK it's not possible because the feature of section access granted all listed users their access and who is not listed will get no access. But you could read (and add to the section access) the users and usergroups with something like Reading GroupMembers from active directory with QlikView and than removing those from this listing and/or maybe creating some new specialized usergroups for this purpose.
(Off the top of my head) maybe you can try to use Data Reduction where everything is linked to a Setion Access record that says NTNAME = *.
If you now put the users-to-be-denied-access before this record and with their full NTNAME value (and no valid link value), you could convert Section Acces from a Permissions list into a Denials list. Data Reduction with Strict Exclusion enabled will throw out everyone that is explicitly listed in SA.
I did a quick test with USERID & PASSWORD. This code does what I explained:
LOAD * INLINE [
ACCESS, USERID, PASSWORD, ACCESSFLAG
USER, ABC, ABC, 0
USER, DEF, DEF, 0
ADMIN, PETER, PETER, 1
USER, *, GHI, 1
LOAD 1 AS ACCESSFLAG,
Today() AS Date
Access is denied to ABC and DEF, but not to PETER or "GHI" (or anyone else using that password). I had to use a password for the wildcard entry because otherwise QlikView doesn't even present USERID/PASSWORD dialogs. You shouldn't have that problem if you only use ACCESS, NTNAME and a LINKFIELD. However, I haven't tested it with AD security.