The problem is, that in current state the smbd first creates a file and allows system to apply default posix ACLs (and applies "create mask"):

smbd/open.c:

if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) &&
    (def_acl = directory_has_default_acl(conn, parent_dir))) {
    unx_mode = (0777 & lp_create_mask(SNUM(conn)));

So far it is good. The operating system applies default ACLs and "create mask" is taken into account. But later, smbd rewrites the ACLs:

smbd/open.c:

 else if (lp_inherit_acls(SNUM(conn))) {
/* Inherit from parent. Errors here are not fatal. */
status = inherit_new_acl(fsp);
if (!NT_STATUS_IS_OK(status)) {
    DEBUG(10,("inherit_new_acl: failed for %s with %
    fsp_str_dbg(fsp),
    nt_errstr(status) ));
}

As it rewrites the ACLs, the "create mask" (eg. = 666) is not applied and ordinary files get execute permission.
So, basically, it first allows to apply default ACLs by system, next it does its own inheritance. I want only the first portion.

Commenting out the second portion makes it work correctly. To get the desired effect the parameter "store dos attributes = yes" also has to be set.

I have no idea why the second portion (inherit_new_acl(fsp)) is added but it makes me trouble.
If it cannot be removed for some other reasons, I can produce a patch with a new option, eg. "inherit acls posix only", or whatever other name you do prefer, so it can be disabled separately.