70-410: Share and NTFS Permissions Question

I am in the middle of doing labs for my MCP, and I have a quick question when it comes to NTFS Share permissions. I set share permissions to 'full control' because I wanted to use NTFS permissions strictly. This was going fine, but I noticed something I didn't understand. When I assign permissions directly to a user in NTFS, it overrides group permissions.
In other words, granting full permissions to a user object will override the more restrictive permission set on a group object (which the user is a part of). This goes against what we have be taught, which is, the object with the most restrictive permissions, wins. Can someone help me understand why this is different when the permissions are assigned directly to a user?
Thanks to all that reply.
In other words, granting full permissions to a user object will override the more restrictive permission set on a group object (which the user is a part of). This goes against what we have be taught, which is, the object with the most restrictive permissions, wins. Can someone help me understand why this is different when the permissions are assigned directly to a user?
Thanks to all that reply.
Comments
Across a network via NTFS = Most restrictive permission
Locally via NTFS= Least restrictive permission
Moreover, Share permissions can only be used across a network but are trumped by NTFS permissions should they be used as well. It took me a bit to grasp that Share Permissions and NTFS were two different things.
Also, be considerate of explicit permissions. I believe nothing trumps an explicit DENY.
I hope this helps. And please, someone correct me if I'm wrong. Going off of memory here.
Explicit takes precedent over Inherited
Use it!