1) The physical display will show you "ALL" the events of you infrastructure (ACE, Receiver, ELM, McAfee EPO, and some other McAfee product if you have them)
2) Local ESM will show only the events related to the ESM (if you have only one ESM, it will give the same informations as above).
3) Receiver-ELM will show only the events collected by this receiver (if you don't have any other McAfee product, it will give you the same informations as above)
4) Correlation Rule are used to "correlate" events from different sources, a simple exemple will be the detection of brute-force : if the same user make three unsuccessful authentication and then at the fourth succeed, generate an alarm.
Normalization is different, it's the way you call your field. Let's say you want to know the "TOP 10 user" on your network, the problem is that in Windows logs it's called "username" and for cisco it's "user".
What you need is all of your equipment to have the same terminology so when you ask McAfee to show you the TOP 10 users it will take in consideration Windows and Cisco logs.
5) Signature IDs are the rules used for the parsing, and normalization ID are for normalizations rules.
6) You can upload a flat file for testing purpose, mostly to be sure that your parser is correct.
You should definitively take a look at the documentation as btkaro said you'll find a lot of useful informations.
Hope this helped and sorry for my English.
Thanks for your update its great feel to know..
Anyone have an idea on this.what is the difference between in rule and policy here
A Policy can be thought of as a collection of Rules. You can edit a policy to a set of rules, for example if you have rules enabled for devices or data sources you do not operate, you may be wasting resources updating these rules and the policy for non-existent data sources.
Rules are either built in, custom built, or correlation rules that dictate actions/activities/events based upon logs and the parsing of same. For example I've created a custom rule, for our endpoint product calling out Ransomware detections by editing the parser for *crypt and other threat names. Rules can also be enabled or disabled.
Variables can be thought of as "programmatic watch lists. Variables include $HOMENET, $EXTERNAL_NET and such. you can create variables for networks, hosts/machines for example you can enter all of your DNS Servers into a DNS_Servers variable and build rules based upon actions involving those hosts. This will tune your detections and allow you to disable non DNS/Server rules, and lighten your policy.