Yep, got to watch out for those groups - they are additive BOTH ways. The "Grant" entries are added and the "Deny" entries are added separately. But a "Deny" overrides a "Grant" so that READ group blocked the MODIFY group. It's similar to that old rule about "attaboy" and "awshit." (One "awshit" cancels a thousand "attaboy"s.)
In general, when putting permissions on a group, you want to make the group either GRANT permission or say nothing at all. You rarely want to use a DENY unless it is very specific. And in a multi-user shared setting, a DENY will reach up to bite you. The way Windows permissions work, you can put a GRANT on something or not. You can put a DENY on something or not. And you can leave something unmarked either way. If the security arbitrary code reaches an unmarked permission slot, the default is to DENY but the thing is, THAT kind of denial can be overridden by a GRANT. An explicit DENY is more of a problem.