1) You have to set rc.firewall by yourself by using iptables or any other methods you might consider... There was some sort of webtool to generate your script (I think it was on AlienBob's website).
2) I think the point is that anyway he's got physical access to the PC...
I think that happens in all distros although I'm not sure (few distros take you to a console login). I use runlevel 4 -graphical login- with KDM. You can configure KDM to prevent some users to shutdown/restart the PC.
3) Don't know either, but if you open a binary with khexedit you will see an interesting hexadecimal map.
4) I don't think it matters having a rc.netdevice or not. I don't have one. I do think it is just to load the module/s for your card.
5)a) Define upgrade. If you mean security updates to a default install, then check the stable changelog, go to a mirror, download your security updates and then # upgradepkg yourpackage.tgz If you want to "upgrade" to -current, well that's very different. Keep in mind that -current is the development branch.
5)b) You could start by writing something simple...
# Anything but the first line starting with #
# is commented.
# Take a look at the scripts at /etc/rc.d
# For an extensive guide on how to use bash,
# check the bash manual (man bash)
# Write down whatever sh commands (console commands) you like
5)c) man iptables
or that script generator (I can't remember the URL)
May the Source be with you!