You should look at your DEFAULT provider ...
<roleManager defaultProvider="XmlRoleProvider".......... />
If your default provider is XmlRoleProvider, then the roles are stored in roles.xml (in App_Data). If it's DbRoleProvider, then it's the be_Roles table in the DB.
If you make any direct changes to roles.xml or the DB, you'll want to restart BE so it re-queries the datastore to get the latest roles (this type of data is generally cached in memory so the datastore doesn't need to keep getting re-read). You can
restart BE by making any change to the web.config file (add a space, etc).
To prevent a role from accessing page(s) in the control panel, there's two things to do.
1. In the web.sitemap file in the root of your blog, you can edit the Roles in there tied to each page in the control panel.
2. In the Admin\Pages folder, there's a file named web.config. You can edit the Roles in there tied to each page in the control panel. This file in particular controls whether someone in a specific role can access each page.