You didn't really say which version of Bugzilla you are using, so the URLs are for the latest release, 4.2. However, the same concepts apply to most recent versions. For instance, we use 3.6 and control whether certain users can change certain things in the same ways that I describe below.
1) Restricting users who are not in a group from seeing bugs is what Bugzilla's group security does:
http://www.bugzilla.org/docs/4.2/en/html/groups.html
One wrinkle in your case is that group security controls positive access rather than negative access. That is, it allows specifying which groups can view bugs in a product rather than groups that cannot. To keep members of students from viewing bugs in projectA, you'll need to have a group that can access projectA and devise a way to keep users in students out of that group.
Alternatively, you could put some custom code into Bugzilla::User::can_see_bug, Bugzilla::User::visible_bugs, or Bugzilla::Bug::check_is_visible to exert firmer control that users who are in group students can never see bugs in projectA
2) You can exercise a lot of granularity in allowing changes:
http://www.bugzilla.org/docs/4.2/en/html/cust-change-permissions.html
We do something like this. We have a set of users to whom we want to grant read-only access unless we have explicitly allowed read-write access. To do this, we have a group called allspecialusers to which these users belong based on email address. We have another group called approved_specialusers to which some of those users are added manually.
So, in our Bugzilla::Bug::check_can_change_field, we have code like:
if ($user->in_group('specialusers') &&
!$user->in_group('approved_specialusers')) {
$$PrivilegesRequired = 3;
return 0;
}
You can do what you want by checking if the bug is in product projectB and the user trying to make the change is in group students
