"Site groups are automatically applied to the portal’s home area and therefore the whole portal if the sub-area’s security setting is not changed. Moreover, sub-area cannot contain site groups that are not applied to the parent area. This is due to the fact that an area inherits either all or part of the site groups applied to the parent area"So in the instance that a user is a reader at the home area but admin further down, what can you do?. Well what about
"...creating a security group in AD. In the portal’s “manage users” page, set “domain users” as readers. This will give all the domain users reader’s permission. Then in the “topics\divisions\sales” area’s “Manage Security Settings” page, assign administration permission to domain group “Sales”. After these steps, every member of the “Sales” group will have administrator’s permission regarding “topics\divisions\sales” area and reader’s permission regarding other areas. Later you can add or remove members to or from the “Sales” group to assign or revoke administration permissions to or from actual windows accounts".