When a VM is powered on, the target object is the data center for that operation. That might explain the behavior you're seeing with the permissions. Beyond that, I don't have a good answer as to why the web client is behaving different, since permissions are enforced server-side.
Are you truely using the resource groups, or are you using them as a means of logically grouping your servers? If the latter, can you try creating VM folders, and apply permissions on the folders, then see if it works?