[eluser]Michael Wales[/eluser]
C) I wouldn't worry about - who really cares how many incorrect attempts there are?
The only time you should be concerned with this if you are storing sensitive data within your system, maybe if you were developing an application for a business. Then you would provide an administrative section for help desk personnel at that business to unlock user's accounts. Upon locking, they would receive an error message telling them to call their IT department to be unlocked.
Because I'm pretty involved in the Silicon Valley scene, and I see a lot of startups focus on this sort of stuff way to much and end up crashing and burning regardless I'll offer this advice:
Don't sweat the small stuff. Things like this don't matter - you are focusing on meaningless items when the big picture should be your application as a whole and what it tries to accomplish. Don't worry about scaling, or controlling user abuse to much, 95% of the web applications that are developed never see more than a couple thousand users and will die out within 6-8 months.
Focus on your application - get it completed. Focus on scaling and user control when those times come, if they come.