The Group permissions model behaves slightly differently for Internal and External access. The basic principle is that Internal users should be able to see everything that has been marked External; when Group permissions are applied to External content (e.g. Activity, Base Layer, Project) this has no impact on the access for an Internal staff member.
When an Group permission is applied to Internal content (e.g. Activity, Base Layer, Project) it is only the Internal people that are impacted; the application is already excluding access for External users to this Internal layer.
Another way of evaluating what the different user experiences for internal and external content will be, can be seen in the following table:
Activities and Projects can have different layer access (e.g. Internal, External, Public). This table shows the user experience under all possible combinations, including when Groups are applied.