That is strange, could you add a screenshot or more detail?
I think modifying capabilities for roles for the context of that particular block is the correct approach, when we only want to deny access to one block (for denying access to all blocks you should try the approach where you prohibit access to all blocks again as mentioned elsewhere in the discussion).
That is, capabilities are allowed/prevented/prohibited etc. on contexts, not in general. There is the system context, which is pretty wide, but also a single block like settings has a context of its own, so you can give or deny capabilities especially for that single block.
I would advise against modifying core files (too avoid if at all possible). Moodle is not yet as extendible as could be, so sometimes it can't be avoided, but it is better avoided when possible, since it complicates your upgrades and for other reasons.