basically access protection blindly controls access by processes to some specific system areas or ports that are usually targeted by malware. On access scan hooks file operations and checks file contents (using signature and heuristics).
Access protection could be useful to complement on access scanner, when a so far unidentified - and for on access scanner invisible - malware performs the usual steps to plant itself or an already planted malware performs its activity (like sending mail). These steps could include: registration to autorun, registration as browser helper/start page, registration as a device (CLSID), etc.
You can use access protection with caution. Normally you can take a strict approach or a delayed approach. Strict approach means you enable blocking and logging of most characteristic access protection rules that would prevent a trojan installation. Then make exceptions to these rules based on feedback from admins or users. Delayed approach means you only enable logging in the same rules, and often check access protection logs (or ePolicy events of the same) and make exceptions; and after some time you enable blocking.
You can also create your own access protection rules in case the existing ones are not fully covering your aim.
/as for the rule getting re-checked, you mentioned here: a VirusScan client configuration may be controlled centrally by ePolicy Orchestrator via its agent, which enforces these configuration regularly to prevent unwanted local modification of VirusScan. In this case changes made by you are only temporary/