I recently did some research into how Windows networking environments apply access rights across file systems. I've been in the IT business for more than a decade. So, if asked, I probably would've told you that I already know how it all works. But, there are a number of intricacies and things I didn't know -- like how security policy can override local NTFS permissions or how Windows doesn't always enforce the most restrictive policy. It seems that Windows enforces permissions based on what it believes to be the administrator's intent, which is interesting.
I published a whitepaper describing all the details. It describes how the controls work and covers the affect of group memberships, inheritance, deny ACEs, the owner attribute, and more. And of course, it provides some guidance for taking control of all that complexity.
You can register for a copy here: