The Windows ACL is currently only configurable directly from Windows clients. Once enabled (in the share configuration page, select "enable ACL"), to make Windows ACL functions properly you'll have to set the POSIX layer ACL to "all pass" condition, which means setting the POSIX layer ACL to all RW permissions, and let Windows ACL work as the only ACL to filter the access from clients.