When I create a new domain user account, that user has FULL
permission
without adding the new user to any SP groups. I have checked the
default group permissions, they are all default. I have checked
anonymous access, it is turned off. I have checked IIS and all
sharepoint sites are NOT set to allow anonymous access, and I have
checked POLICY FOR WEB APPLICATION.

The latter is the only thing I have found to change the site at all.
In my user list under POLICY FOR WEB APPLICATION, I have:


NT AUTHORITY\LOCAL SERVICE - FULL READ
NT AUTHORITY\NETWORK SERVICE - FULL CONTROL
NT AUTHORITY\SYSTEM - FULL CONTROL
BUILTIN\USERS - FULL CONTROL


The last one is the account that impacts site function. If I remove
it or change the permissions, it affects ALL users on the site.

I don't know why the Builtin \Users would be granted Full Control. Web
application policies do indeed apply to the entire web application, and the
superceed any other permissions. I don't have access to a SharePoint CA at
the moment so I can't tell you what the default policy permissions are.
However, as Ben Curry points out in this blog post
http://www.mindsharpblogs.com/ben/ar...3/30/1657.aspx most of the
default permissions are Full read, not Full control. You are going to want
to modify the Web application policies and you shoud apply permissions in
the Site collections instead.