Active Directory Forest Trust

You need to focus on "Authentication Level".

If I have Forest A and Forest B with 2 way Trust. Would that automatically allows users from one forest to access resources on the other forest ?

If you choose Selective Authentication, then no. To allow the user to access any resources, you have to:
1. allow him to authenticate to the domain
2. give him permissions (= add him to AD groups). Then the user will get access.
This is definitely more secure because you have a control who is accessing resources in your domain.

If you choose Forest Wide Authentication, the user will auto-authenticate (the step one from Selective Authentication is excluded) and will be automatically added to Authenticated Users. It means that he has permission to access all resources that is allowed for Authenticated Users. This might be an issue. That's why we don't use this option.

[While creating a Forest Trust, the wizard will ask what kind of authentication level will be configured on the Forest Trust.
Forest Wide Authentication
When is Forest Level Authentication is enabled, the Domain Controllers of Trusting Forest will authenticate all access requests, made by users from the Trusted Forest. Once authentication is successful, access to the resource is granted or rejected based on the resource Access Control List (ACL).
There is a risk in this approach. Once the foreign user (from trusted Forest) has been successfully authenticated by Domain Controllers of Trusted Forest, it becomes a member of the "Authenticated User" group. This group does not have any permanent member, membership is computed dynamically based on authentication. Once an account is a member of the "Authenticated User" group, it can access all resources where the group "Authenticated user" has access.

Selective Authentication
To combat the above mentioned security loophole and have some control on the authentication, we can opt for the Selective Authentication level. In this level, not all users are authenticated by Domain Controllers by default. Instead, when a Domain Controller of Trusting Forest detects that an authentication request is coming from a trusted forest, it first validates whether the user account has been granted exclusive permission on the resource that is holding the object.
For example, a file share has been configured on a file server. If a user from a trusted forests wants to access that file share, that user account has to be explicitly granted "Allowed to Authenticate" right on the file server. Only then the Domain Controller will authenticate the user, otherwise Domain Controller will reject the authentication request, and the user will not be part of "Authenticated User" group.

https://social.technet.microsoft.com/wiki/contents/articles/50969.active-directory-forest-trust-attention-points.aspx#Forest_Wide_Authentication

The two-way trust will make it possibly to access resources in any forest based on permission on the resource, In our environment, we only use one-way trust to make it possibly for users in production forest to access the test forest, but not the opposite.
SID filtering needs to be disabled to allow access resources through SIDhistory of  object while migrating objects between domains , but otherwise it can be enabled to raise security. It's automatically enabled on external trusts (forest).

If it is not about Migrating Users between Forests.
and we choose Forest Wide Authentication.

Can users still access resources in the other forest ?

If you choose Forest Wide Authentication, the user will auto-authenticate and will be automatically added to Authenticated Users. It means that he has permission to access all resources that is allowed for Authenticated Users.

Thank you Guys

Both comments were answers to your solutions. Feel free to accept both as solutions.