First, are you talking about a windows 2000 AD or windows NT?

In windows 2000, the security settings are pushed through group policy. Be default, each domain has a "default domain policy" that applies to everyone in the domain. That's what pushes your "effective" settings.

Local settings apply when:

1) The computer is not part of a domain
2) The domain policy has a setting of "not configured," which allows the local policy of each computer to apply whatever it thinks best.

I hope this clears up some of your questions.