1) yes, there can be many access rules defined, but only 1 rule can be applied to a page.
2) For simple access you really only need to allow if a condition is true.
for more restrictive access rules, you would use a mix of allow and deny conditions.
for an example, see the Double Opt in tutorial.
3A) Those code blocks relate the Emailed password and Successful update rules. you can safely remove them without needing to remove any other code.
3B) The logout behavior can be added to another page. If that page also has other behaviors on it, you may want to trigger the logout behavior on a URL variable