Permissions
It combines the permissions from all the users groups.
If the user is denied access to anything they still can't access it even if they are given access to it elsewhere.
If the user is given access to something in any group they will have access to it (unless of course something else denies them).
If there's no explicit allow or deny in any of the users groups, they will be denied access.
Access Levels
Access levels are done separately from group permissions - access can be set to limited, standard or full in the tfs 2012 admin area.
For TFS 2010 the only group that acted a bit weirdly was the work item only group, which afaik acted as a explicit deny on everything but editing your own work items. This functionality is replaced with access levels in tfs 2012.