How to set "full permission" to individual file inside a document library?

I have a document library inside an SPS 2010 server.  The whole library permission is set toread-only to everybody except me and some admin accounts.

Now inside this library, I have a file which should be set to “full control” for a particular user (Test A. User in my example below and it is not a member of admin group, of course).  I have set what seems to be logical to me, and when I use the “check permissions” tool, I got the result in the upper part of the following image.  It seems correct, doesn’t it?

However, when the user tried to change the content and save the file, he got the error message “Cannot save your changes” (shown in the lower part of the image below)

Is there a bug or what?  How is the resultant permission “calculated”?  I mean, is “allowance” at a higher priority than “denial”?  Or the opposite?  In my example, Test A. User has both “Read” and “Full Control”.  What is the resultant permission?  Read?  Or Full control?

And how to do what I wanted to do (ie setting full control to only one file for one user)?