http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/fedffin2.mspx
Planning and Implementing Federated Forests in Windows Server2003
Using SID Filtering When Migrating User AccountsSID filtering does not allow for the use of SIDs from outside the forest to enable access to any resource within the forest. You can enable the SID of a user in a different forest to access a resource within a forest that has SID filtering enabled by translating security on the resource to include the user SID in the permission list. Because SID filtering does not apply to authentication within a domain, it is also possible to allow access to resources by means of SID history if the resource and the account are in the same domain.
To allow users or groups to access a resource by using SID history, the forest in which the resource is located must trust the forest in which the account is located. SID filtering is applied by default when a cross-forest trust is established between two forest root domains. Also, SID filtering is enabled by default when external trusts
external trusts
A trust that is manually created between two Active Directory domains that are located in different forests or between an Active Directory domain and a Windows NT 4.0 or earlier domain. External trusts are nontransitive and one-way.are established between domain controllers running Windows Server 2003 or Windows 2000 SP4 or later. This prevents potential security attacks by an administrator in a different forest.