The check performed when CheckUserLogin is enabled is performed against the groups specified in CheckUserGroup as you mentioned. This is performed regardless from the current logged in user (if any).
This check doesn’t replace the Windows logon screen but it’s just an additional check for P2P sessions to allow only specific groups of users to open a session towards a Target. If the screen is locked or no user is logged on the Target machine then the Controller user have to be granted permission by the Windows logon system as usual.
So basically only if a user has performed the login on the Target machine and the screen is not locked you won’t need to enter any credentials after the CheckUserLogin popup on the Controller. In order to avoid that the property ConfirmTakeOver is typically set to “yes” to request user confirmation before establishing a session.