The last two, ForbiddenResponse and UnauthorizedResponse can never occur on an openacs installation, can they? I would guess that the request processor always spits out the custom 'security violation' messages, regardless what you have defined for these params.
If that's true then I think we shouldn't confuse the users by including them.
Any specific reason why you specify an .adp file for 404 and .html for the others? I remember Jeff Davis arguing strongly against templated 404 pages because they are possible resource killers, if some out of bound client (e.g. a worm) requests lots of non-existant pages within a short time, so I'd suggest to use a .html for 404 as well.