So basically, you want to
[li] allow members of ONE GROUP to connect, and[/li]
[li] not restrict what they can do at the file level?[/li][/ul]
To restrict who can connect, set it in “Samba permissions”: valid users or groups, invalid users or groups, and Restrict write access to these users/groups. And omit anything that sets filesystem permissions.
No, these settings remain useful because they aren’t related to NT ACLs. Let’s try to explain.
Create files/directories with the owner of the parent directory
[li] YES -> every file/subdir being created will have the same owner as the directory it is in[/li]
[li] NO -> every file/subdir being created will be owned by the user creating it[/li][/ul]
Create files/directories with permissions of the parent directory
[li] YES -> every file/subdir being created will have the same filesystem permissions as the directory it is in[/li]
[li] NO -> the permissions depend on the user creating a file/subdir (his umask, and some other masks)[/li][/ul]
So unchecking these two boxes on your shared directory would leave you with a share where every file or directory can possibly be owned by somebody different, and have different permissions.
Note that you can achieve a similar effect (set unique ownership and permissions) at different levels: the “force user” and “force group” settings at the top of “Samba permissions”, or extensively using the “Samba extended permissions” attributes matrix, especially the ‘force file mode’ and ‘force directory mode’ settings.