Judging by $SPLUNK_HOME/etc/system/README/authorize.conf.spec you can't do a blacklist like you are looking for.
Use deployment server to manage your Search Heads and deploy and authorize.conf to them which controls index access. You will still have to whitelist the good indexes, but you only have to do it once. This makes it far easier to keep your security consistent.
Less optimal solution:
You could test out using a Search Filter to exclude access to the index (something like index!="payroll" ), but I think you are better off to actually restrict the use of indexes.
Getting really fancy:
Distribute your indexes.conf to your indexers by deployment server too. Then to create an index you just edit the indexes.conf in the app going to your indexers and the authorize.conf in the app going to search heads and you have configured everything in one foul swoop. In one environment I am managing three search heads and four indexers in this way, and as a result I still have hair.
More info on deployment server:
... View more