That's actually not entirely true. The NLS_LANG specifies how (and if) will the Oracle Client re-code the VARCHAR2 values for the application that is using the Oracle Client. There's a silent (and sometimes incorrect) assumption, that the application is using the same encoding, as the underlying OS does, hence this explanation. As an application is actually free to use any encoding it wants, and on most modern Windows platforms, modern applications actually use Unicode (and the multibyte encoding system setting in Windows is only to be backward-compatible with older apps), so the NLS_LANG specifying something else then an Unicode based encoding may cause more problems than solutions.
On the other side, using something else than the "system" encoding (the multibyte one) may be an issue, if an application developer actually took that instruction literally and expect that the Oracle Client will provide data encoded in that multibyte encoding (and the application re-codes it to Unicode).
As far, as I know, the PL/SQL Developer (PLD) actually checks what is the encoding set for Oracle Client and re-codes that to Unicode (at least when the Unicode support is turned on in PLD preferences), so everything that Oracle Client provides should be displayed properly.
Your issue comes from the fact that the Arabic characters can't be properly represented using the Windows-1252 code-page as they are outside of the range of its charset. This means that the Oracle Client will replace those characters with "?" when re-coding it for PLD and PLD will show those.
As you have already seen, specifying Unicode-based encoding for PLD (you can do this in "params.ini" file of PLD, instead of environment variables, not to influence other apps) should allow you to work with most DB character sets (except those, that do not fit into UCS-2 range, which is at the base of Windows API).
If you are wondering why some other applications were able to display the Arabic characters even when NLS_LANG was set to Windows-1252, then the answer is probably simple: they did override that setting with Unicode based encoding, prior to accessing Oracle Client.