Security Settings for Web Security come from the WebSecurity
Snippet by default, but you can override
those settings with your own custom settings or by using a standard profile. Default
Web Access policies come from the Web Security Snippet and can be overridden at any
scope.