By default (out of the box installation), there is an organization called Everyone that contains all the users. By removing that organization (or the users from it), the default state is "deny all". Please refer to the following video to hopefully get more clarification : https://www.youtube.com/watch?v=HzFqxvgHtpI&index=8&list=PLz1ppcU_kaneagUT9qgQfz3HByf6-9zTF
You may also look at this document on the use of system user The use of System User
Run Time (not instance) refers to specifically this one template. I.e if you have 3 things derived from this template, and you set Run Time Instance - all those 3 things will inherit the same permission. If you set just Run Time - it will set permissions only on this particular template.