Where does Windows store ACLs and do ACLs follow a file from one machine to another?

ACLs are stored in the part of an NTFS partition that does all the background plumbing - the MFT (Master File Table).

The ACL does not follow a file around, since it is not a part of the file (just like the filename it is metadata). The file can cross partition type boundaries (NTFS->FAT), the ACL cannot.

Now if you move a file within one NTFS partition, you might get the impression that ACLs actually follow the file around. This is because during a move, only the filename in the MFT is actually changed. Everything else stays the same.

If you copy a file or move it to another partition or computer (which is actually a copy+delete operation), the copied file will by default inherit the permissions of it's new container (the inheritable ones only, to be precise).

However, there are tools that are capable of retaining the ACL of a file after a copy operation (simply by recreating it on the target file after the copy operation) even over partition or computer boundaries. xcopy can do that, among others.

But since an ACL can contain SIDs that are "domain owned", an ACL entry might not actually be meaningful to the target computer that is not part of the same domain (for example when taking home an NTFS-formatted USB drive). In that case the ACL entry will have no effect.

Other SIDs are "well known", like the "SYSTEM" SID. These will actually be recognized across domain borders.