A: On documents: View Content (on the class Default Instance Security ACL) plus Create Instance (on the class Security ACL).
On folders: Modify Properties.
On the object store: Use object store.
A: When first created, documents get permissions from the Default Instance Security ACL and default security policy of its class. They can also inherit permissions from a security parent, if configured. When documents go through versioning changes (by being checked out, checked in, promoted or demoted) their security can change if there is a properly configured security policy associated with the document.
A: Most objects that users and administrators work with are directly securable. If an object's property sheet contains a Security tab, then it is directly securable. However, some objects have the same security as some other (owner or container) object that they are dependent on. For example, once a choice list is added to a document, it has the same security as the document.
A: Yes. Enterprise Manager is fully MMC-compliant.
A: Content Engine's configured database has tables that contain all information about objects, properties, classes, etc, including the fully encrypted security descriptors for these objects.