John,
Denying access using *ALL is not necessarily the best way to secure your system. You might consider setting *PUBLIC *ALL for Action Code security NNNN (excluding Search/Select), and then leave App. Security as default minus a few of the sensitive applications (such as Security Workbench, Address Book, System Constants etc). This can makde maintenance more manageable. You may also need to add back Action Code Security at *PUBLIC for all the relelvent Search and Select application (such as the P0101S). As the Security Officer you should also, as a precaution if you are not over familiar with doing this, assign yourself open security just to make sure you don't secure yourself out of it at the same time. Hope this helps.
James (ERP8)