I agree on the fact that the lock permissions table is next to useless when setting permissions to the registry as the perms aren't set recursively (well actually, sometimes they are and at other times they aren't).
For files and folders it works as expected (at least for me). One of the most important things about setting permissions the "msi-way" is the fact that permissions are set to files and components. To set permissions to a directory, you have to set the ACL's to the component that copies the first file to that directory. If it's an empty dir the only way I've managed to set perms is to create a new component that set the ACL's.
The "BuiltIn\[GroupName]" account groups are language specific. What other alternatives are there to set permissions not bound to a specific domain?
Maybe the best way of setting ACL's is through a custom action, and if you want to roll back permissions, the only way of doing it, is through a roll-back custom action...