The reason you are denied access when entering the wrong username with the cookie being set is because of the auto login option. When this option is checked it will store the posted username and password in a cookie then attempt to login the user if they are not already logged in. Since these cookies have a value the script is attempting to auto log you in based on the values in the cookies. When you get the redirected to a restricted page you will be denied.
One way that you can get around this problem would be to set the failed redirect for the auto login to a page that unsets the cookies. Once these cookies have been unset you can attempt to login again.
If you wanted to make it like you have stated to allow a few login attempts you could record the number of times the user hits the failed redirect page that is resetting the cookie using an insert, and a recordset to count the number of entries for that user. If the count is greater than your limit then don't reset the cookie.
The error about the code being locked in the template is a problem that occurs from time to time when you attempt to insert server behaviors into a page derived from a template. Some ways to get around this are to temporarily detach the page from the template and add the server behavior, then re-attach the template. You can also apply the server behavior to another page and cut and paste it to your target page. Sometimes just restarting DW and trying it again will work also.