What it means, is (as an example):
User "DOMAIN\jcitizen" was given read-only access to the directory C:\fakepath, and in this folder, exists a file called "document.docx". At this point in time, jcitizen can open the file to read it's contents, however can not save any changes.
3 months later, jcitizen's manager created another file, called "adobe.pdf" and placed it in C:\fakepath. The manager decided that jcitizen was to have the ability to save changes to and make changes to access permissions on document.docx, so they explicitly set Full Control permissions on C:\fakepath\document.docx for jcitizen.
As explicit permissions override inherited permissions, when jcitizen tries to save any changes to document.docx (such as adding a new paragraph of text and giving read-only access to DOMAIN\jdoe) the read-only permissions it inherited from C:\fakepath were effectively made redundant and the file system listens to the explicit permissions.
Now, 6 months later on, jcitizen's manager decides to give everyone Full Control permissions on C:\fakepath. As Full Control permission is the highest-level of file/folder permission that can be granted to a user (as it can also take ownership of a file or folder), it supersedes any explicit permissions set on any files or folders below it.
In a corporate environment, it is always advisable to NEVER give Full Control to any network user. The only people or groups that should ever have Full Control are Domain Admins. When I rebuilt the network (as well as the two file servers running DFS) for the company I work for, I didn't even give our director's day-to-day account Full Control permissions, and opted to give them a second account with Domain and Enterprise Admin privileges.
I hope this clears it up for you.
