The exclusions are kept in the registry and checked whenever a scan occurs. Depending on which scan you selected the exclusion (ie. scheduled) it would be checked during the scan and excluded.
I don't believe there are any best practices per se but say you want to exclude a directory C:\test on only one machine for all scans and you create the policy and assign it to all groups, well not only will c:\test be excluded on that machine but all machine. Probably 99% of the time it won't matter but just say a machine gets infected and it creates a directory called c:\test where it runs from. Well that would now be exluded and the malware allowed to run.
Your best bet would be to group machines by function or similarities (ie. servers, laptops, desktops, smtp servers, file servers, etc) and assign different policies for each giving you a more fine grained control.