I'll throw one other technique out there that I use quite a bit. It may not handle things like verifying someone can see something in Object Explorer that they think they should, but it could help with specific database or server-level permissions. Your comment at the very least I would like to be able to be more confident when I add someone to a group in Windows that they'll be able to access the databases properly is aligned with my thought process as well and is exactly why I take the extra step myself before responding to users that they have been granted a specific permission. After setting up the Login I'll run something along these lines:
EXECUTE AS LOGIN = 'domain\winodows.user';
GO
SELECT SUSER_SNAME() AS impersonated_security_context
GO
BEGIN TRAN
-- try the operation the login is supposed to be able to perform
ROLLBACK
GO
REVERT
GO
SELECT SUSER_SNAME() AS original_security_context
GO
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato