remove an ACE from a DACL

void RemoveEveryoneDeny()
{
SECURITY_DESCRIPTOR *psd;
DWORD needed;

GetFileSecurity(_T("test.txt"), DACL_SECURITY_INFORMATION, NULL, 0, &needed); //find out how big the security descriptor is
psd = (SECURITY_DESCRIPTOR*)malloc(needed); //allocate that memory
GetFileSecurity(_T("test.txt"), DACL_SECURITY_INFORMATION, psd, needed, &needed); //fill out the security descriptor

PACL dacl;
BOOL present, defaulted;
ULONG entries;
EXPLICIT_ACCESS *ea;

GetSecurityDescriptorDacl(psd, &present, &dacl, &defaulted);
GetExplicitEntriesFromAcl(dacl, &entries, &ea);
//do what you need to to save information from the explicit access
//array, the amount of entries that it contains is in entries, and
//the TRUSTEE structure that it contains will contain the SID of
//the user account, so you can compare it to the well known Everyone
//SID or use LookupAccountSid to get the name from it and compare that
//with the Everyone string

PACL newacl;
EXPLICIT_ACCESS ea2 = {0};
ea2.grfAccessMode = SET_ACCESS; //overrides any current acl permissions
ea2.grfAccessPermissions = STANDARD_RIGHTS_ALL; //this is filled in from the file permissions, see CreateFile
ea2.grfInheritance = NO_INHERITANCE;
ea2.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; //must be set to this
ea2.Trustee.pMultipleTrustee = nullptr; //must be null
ea2.Trustee.TrusteeForm = TRUSTEE_IS_NAME; //this says that ptstrName points at a string
ea2.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; //Everyone is the World SID, and is a well known group
ea2.Trustee.ptstrName = _T("Everyone"); //The world SID name

SetEntriesInAcl(1, &ea2, dacl, &newacl);

SECURITY_DESCRIPTOR sd2;
InitializeSecurityDescriptor(&sd2, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd2, TRUE, newacl, FALSE);

SetFileSecurity(_T("test.txt"), DACL_SECURITY_INFORMATION, &sd2);

}