For the ultimate in control, Microsoft provides the Security Descriptor Definition Language (SDDL). This language is sparsely documented and far from intuitive, but is actually quite powerful for specifying permissions. If you aren't intimidated by the permission string "D:(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;PU)(A;ID;FA;;;BA)(A;ID;FA;;;SY)" well then, SDDL is just right for you.
There's no doubt that Windows permissions are complex. Microsoft has at least improved things by using better default permissions so we don't have to bother with it as much. But considering how powerful these capabilities are if customized by users, it might be worth it for them to spend some time rethinking the metaphors and the user interface.
I just thought it was funny. :-)
Cheers,
Scott.