What would be recommended best practise? If I set "Administrators" group to "no access" then will any user and domain group present in the Local Administrators group be denied access to vCenter?

Groups and inheritance can get very tricky when you're setting roles.  I would use the no access sparingly.  First, make sure you have entries for who you do want to allow.  Then, remove the administrators permission, but keep this article handy just in case :  http://kb.vmware.com/kb/1005680

I would instead remove the users you don't want from the 'Local administrators' group.

-KjB

Thanks for the info it was very helpful. I think I'll start by changing the permission on "Administrators" group to read-only. The groups that are part of the local admins group are added via Group Policy in AD and I have little controll over it.

If the ID that you are using to login is a part of the Local Administraotrs group, then setting that permission will give you read-only permission, and then no way to fix it, other than the article I posted earlier.

Removing the administrators group once you've added proper permissions will remove the direct permission without locking yourself out.

-KjB