To answer my own question I asked back in August:
This does not work very well with NSM. If you never import the rulebase back into NSM then NSM won't see those rules added by the apply groups. This will give you very odd effects when viewing traffic logs on NSM.
You will see zones getting mixed up in the logs. For example, if you have traffic from untrust to trust, that traffic will show up as being from trust to untrust (opposite direction). We've also seen log entries from untrust to untrust even though it was untrust to trust.
For some reason, NSM does not seem to use the zone information provided in the log files, but instead (seems to) looks them up using rule ID numbers. Since your rule numbers don't match with those on the device (NSM not knowing about the rules added by apply groups), it will see the wrong info. That's the only explanation I have.
As soon as I had imported the device and used the imported rule base (which then contained the rules added through apply groups), everything looked fine.
To make a long story short: Watch out if you are using NSM.