Both of these scenarios will work out in a similar way. The idea is that on the login page you first will update the authenticate user server behavior. You will want to include these two columns in the set of session variables that are created on the last page of the server behavior.
Once the values are being stored in session variables you can then go into the Rules Manager and create new access rules for these values. You just have to setup the rule to look at the session variable and the value it is set to, if it is 'yes' for your first login rule then you would want to restrict access.
You will send the user to the profile page after they login. On the profile page you will need to have this rule applied. For the failed redirect on this page you would send them to the new password page.
The other part of this is going to be the update on the new password page. Along with the password you will need to update the first login column to be 'no'. The next time the user logs in they will go to the profile page and the rule will check to see if they have logged in already. If the column has been set to 'no' then they will remain on the profile page.
You would do a similar thing to activate/deactivate an account. Store the value from the column in a session variable on login. Then create a rule for not active users where you compare the value of the new active session variable. You then apply this rule to any page that you would like to restrict access to based on weather or not the user is active.
Please post back with any questions that you have about any part of this.