We just recently implemented SharePoint 2013 Enterprise in our development environment.
When working with permissions we decided to add all of our domain users with Read permissions to the initial user portal and all departmental subsites of that portal.
We added some users directly to the Approvers group initially to let them start looking around.
Now on removing those from the Approvers group they do get access denied messages throughout the site and subsites.
We created an Active Directory Security group to house all of the domain users. These users having issues are already members of this group.
Other group members who have never been assigned permissions directly are working as expected.
I've restarted the WFE server to see if it was a caching issue to no avail. Any help would be appreciated.