New Item Descriptor Inheritance
When new items are created in folders, they are secured using the access control entries (ACEs) present in the subitem_inheritable_aces section of the parent folder's discretionary access control list (ACL). In a sense, the item inherits a "virtual" descriptor from its parent folder. If the parent folder's descriptor changes, the item automatically inherits the changes.
When you set the descriptor for an item, the "virtual" inheritance is no longer used, and the item's descriptor is used to control access. Therefore, if you make changes to the parent folder's descriptor, items that have had their descriptors set directly do not inherit these changes.
The default behavior described in the preceding paragraphs emulates the folder-based access control system used in earlier versions of Microsoft® Exchange. The drawback to using parent-folder inheritance for items is that the access rights granted or denied to trustees apply uniformly to all items within a given folder that have not had their associated descriptors explicitly set.