Every virtual machine has two MAC addresses by definition. The MAC address that is assigned to the vNIC of a virtual machine when the vNIC gets created is called the initial MAC address. The MAC address that a guest operating system configures for the network interface it detects is called the effective MAC address. The effective MAC address should generally match the initial MAC address (which is actual MAC on NIC):

MAC address changes apply to the traffic entering a virtual machine from the virtual switch. If MAC address changes are set to Accept, then it means that you allow the virtual machine to receive traffic originally intended for another VM, by impersonating the other VM's MAC address. For example, if VM-A wanted to receive traffic intended for VM-B, then VM-A will need to present itself with a MAC address belonging to VM-B. This is usually achieved by changing the effective MAC address (OS level). Such a VM's initial MAC address will remain unchanged. With MAC address changes set to Accept, the virtual switch will allow the effective MAC address to be different from the initial MAC address. With MAC address changes set to Reject, the port/dvPort to which the vNIC is connected will be blocked, consequently the VM will stop receiving any traffic.
The Forged transmits setting applies to the traffic leaving a virtual machine and entering a virtual switch. If set to Accept, it allows source MAC address spoofing, meaning, a virtual machine will be allowed to send out frames with a source MAC address that is different from the initial/effective MAC address. With the option set to Reject, the virtual switch will drop the frame with a MAC address that does not match the initial/effective MAC address.

Both MAC address changes and Forged transmits are set to Reject by default.