I guess I'm having a hard time understanding the need for the extra steps.
It sounds like you are going to do a lot of extra coding, to make all of your users come up with security questions and answers, to avoid confusing a user if a poser tries to get his kicks by triggering an unwanted email.
Doesn't that just inconvenience everyone? Do you anticipate a level of abuse that would warrant that?
Maybe I'm missing something. I've never had an issue with the "Forgot Password" email.