A bit late to the party here, I agree that the creating the additional app server appears to be best practice, but if you have the ability to create a temporary AD user for the purpose of testing security and create a copy of the shortcut for running Epicor and add C:\Windows\System32\runas.exe /user:<username> “path of epicor.exe /config=EpicorERPTest.sysconfig” to the target field. When you run the shortcut you will be prompted with a command window to enter in the password of the newly created ad user.
Epicor will now open in the context of that user so you can check the security. I agree you can run the menu security group as well, but sometimes a picture is 1000 words. In this case an Epicor user in the correct security group and menu security, and logged in is just as useful 