When configuring Security Filtering settings on a GPO, what you are really doing is changing security permissions on the GPO itself. You see, for a computer or user to be able to apply any given Group Policy Object, that computer or user needs to have two different "rights" to the GPO. It needs to be able to "read" the GPO, and it needs to be able to "apply group policy".
You can view the permissions for any GPO by clicking on the GPO (or any one of its links), then visiting the Delegation tab. Here, you can see a general overview of the permissions on the GPO, but you won't see the full story until you then click on the Advanced... button. Clicking Advanced... shows you the full picture of permissions on this GPO, as seen in the following screenshot:
The preceding screenshot shows permissions on my brand-new GPO called Lock down Control Panel, which is currently still being filtered to the default Authenticated Users group. Inside the permission settings, you can see that Authenticated Users has two Allow settings—Read and Apply group policy. The combination of these two allowances is what tells the GPO to successfully process on anyone who is an Authenticated User.
Any users, computers, or groups of users or computers that you have listed inside Security Filtering will show up inside this list of permissions, and will have both of these rights assigned to them. This is the "under-the-hood" view of what really defines who gets the policy applied, and who does not.