Collection and group read only permissions have no effect

Hi, I have been doing some basic testing and have come across a problem which must be either my bone head mistake or not the intended use. When I add a user to a group and the group to a collection, the collection and group read only permissions do not prevent a user from editing the password. Only setting the user read only tick box prevents the user from editing. Any suggestions on what I am doing wrong? Is it behaving as expected. This is all via online accounts and nothing is hosted locally.

Thanks to Aaron in support for clarifying that I should not select the collection in the ‘People’ tab. This is expected behaviour for the following reasons:
Permissions are set at either the collection or group where write overrides read only
If the user is added directly to the collection under ‘People’, write overrides read only in the statement above. i.e. allows adding a user to a collection without using groups.