This is a brand new 2012R2 AD environment and I have a test user that is only a member of domain users. The folder structure I will use for an example is \\server\data-share\accounting. Domain users have NTFS read-only permissions to the data-share folder so that they can list the contents, however, this is applied to the data-share folder only, not sub-folders/files so if you look at the permissions on the accounting folder, you will see no ACL entries for domain users.
So here is the issue, when I look at effective access on the accounting folder for the test user, they have 'read permissions' and 'change permissions' rights (see pic). I cannot figure out where this is coming from. Any ideas?