Putting it a slightly different way (and ease any confusion between Share and NTFS permissions), the primary set of permissions for access to a particular file or folder are the NTFS permissions. These are the permissions that would apply if you were accessing the file/folder locally on the computer hosting the file (without going through a share). However when accessing the file/folder through a share, the permissions that the remote user, are the NTFS permissions MASKED by the Share permissions.
So set the NTFS permissions for the actual permissions that you want the users to have (these can be a complex hierarchy if you feel so inclined), and set the Share permissions to admit just the users that you want to have remote access, with the greatest permission that they have anywhere in the tree of file of folders.
Re your point #2 I'm not sure if you are getting confused - you seem to be saying R+W a lot and modify elsewhere, and not only Read anywhere... If your last example was to say give group "Managers" full r/w access to the entire share and the "Staff" group Read only access to the entire share except for the "Widgets" subfolder, which that should have Modify (effective r/w) access to then you could do this. Let's say the share will be called "Stock" and be located at D:\Data\Stock on the host system.
You would add the "Managers" group to the NTFS permissions for D:\Data\Stock with Modify access, and the "staff" group there with just Read+Execute permission. Then on the Widgets subfolder (D:\Data\Stock\Widgets) additionally add the staff group with Modify access.
THEN on the share permissions, just add "Managers" with Modify, and "Staff" also with Modify (Modify being the greatest permissions that Staff have SOMEWHERE in the share).
There will probably already be some NTFS permissions on the "D:\Data\Stock" This may grant Administrative full access, and r/o access for a "users" group (And a mysterious thing called System). It's probably OK to leave those permissions in (as the Share permissions will limit access by other users) You could block inheritance for the 'Users' group, but, that might be a step too far for now (until you get the hang of what I suggested above - Oh and until you REALLY have lot experience - don't remove "System" from permissions lists)