
Explanation:
Box 1: Yes
User1 can create a storage account in RG1, since User1 has Storage Account Contribute Role inherited from Resource Group.
Box 2: No
User1 can view all resources, but does not allow to make any changes.
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader Box 3: Yes User1 can create an inbound security rule to filter inbound traffic to networkinterface1, since User1 has Contributor role for NSG1.