We recently upgraded from 2003 to 2007. I restored an upgraded site collection with one subsite on our new MOSS server using stsadm. The subsite was an administration site that didn't allow access to anyone outside my team. Now everyone has access and can view everything. The problem is that even if I remove everyone - groups, all people, site permissions - a random test account I created and other users I've checked can still open the site and view anything they click on. I broke permissions from the parent site (which never should have existed) but still when I create groups or change permissions within the subsite, the change is also added to the parent site and vice versa but has no real effect on actual permissions.
Taking another direction, I tried creating a new subsite without inheriting during creation but the problem still exists. Any random user can view the site's content. Anonymous access is disabled and Authenticated users are NOT added. I removed them from the parent site as well which seemingly did nothing for either site. Could this have something to do with all users being listed under "All People" after restoring the parent site? Is there a way to remove all users and any ties in the database to start fresh?