Hi, you can do it with 2, 3 or 4 tables depending upon how much control you want. Moreover, Zend_Acl seems to think of Access Control in Roles but, you can also think of Groups as a Role. In case of 2 tables, you'll have user and user_role pivot. In case of 3 tables, you'll have user, role and user_role pivot. In case of 4 tables, you'll have user, role, user_role and role_permissions table.
Personally, I would prefer 4 tables. This way you can implement a page where you can add / delete permissions through UI rather than hardcoding it in your Controller or in Application.
Let's get in touch so, we can discuss specifics.