The current role assignment permission system works like this:

• Get the current context
• For each role the user has in this context
  • Go upwards the context path
  • If PROHIBIT is found anywhere on the path,drop everything and return false
  • Otherwise, the first found PREVENT or ALLOW is the result for that role
• If ALLOW is the result for any role, return true, else false

When doing it like this, it makes no difference when editing roles globally between setting a capability to INHERIT or to PREVENT. If either of those is the end result of a context path search, it amounts to false.

Keep in mind I don't mean to remove PREVENT from the permission system. I mean don't let users set PREVENT when editing permissions on the system level (i.e. roles/define.php?action=edit) because it creates unnecessary complexity and confuses people (I think).

On the other hand, PREVENT is most useful when overriding roles in lower contexts and should remain there.