The Sharepoint installation I've been working on recently has a number of sites, with custom security applied to each one of them (to allow only the specific group access to it) -- ie. the normal way to do it.  These sites are all publishing sites, as they wanted to be able to have a bunch of content up there, plus some other lists of things.  The problem was, users that they thought were just 'normal' users were editing the main page of the site, ie. "default.aspx' in the 'Pages' document library.  I was asked to take a look at the permissions to determine why the users of the site were able to edit the pages.  After a couple of quick checks, I found their 'normal users' group was given a permission that included 'Edit Items', which allowed them to edit the items in the 'Pages' document library.  They replied that the users shouldn't be able to edit it because they didn't have the 'Add/Edit Pages' permission.  It turns out, that permission is only for editing pages in the way that Sharepoint Designer does -- ie. without a document library.  The proper way to prevent 'normal' users from editing the published pages in the site is to disable permission inheritance for the 'Pages' document library, and configure the security on that list to not give the 'edit items' right to the 'normal' users.

The lesson?  The 'Pages' document library isn't special, at least when it comes to security.

Thanks to Chris Domino for confirming my understanding of how these permissions worked.