Code that performs a privileged action will perform a code access demand which will cause the CLR to walk up the call stack and examine the permission set granted to the assembly of each method in the call stack.
The code groups and permission sets are determined by the administrator of the machine who defines the security policy.
Since the intersection is taken, this means that the final permission set is determined by the Machine policy.
[2] Code groups associate a piece of evidence with a named permission set.
Code that performs some privileged action will make a demand for one or more permissions.