It is possible, because I am doing it. I have share=user and have home directories viewable by the user and the admin (me). I have various departmental shares that each department can access and no one else (but the admin -- again me). Even shares that aren't browsable, so no one even knows they are there if not given access. And I have several public shares, some read-write, some read only with install files and such. USers that try to access a share they have no permission to get the logon box, but it will never actually auth because their rights don't allow it.
I have no doubt it's possible....might it be possible for you to post a sanitized version of your [globals] and one or two of the shares from the smb.conf file so that I can compare what's working for you with what's not working for me?
TIA, -Ray