1 - I'd love to know the answer to that question as well. Especially where to store addresses and stuff like that. Somebody posted the same question a few weeks ago but unfortunately no one answered.
2 - its in user_preferences now
3 - If you allow <script> tags in user inputted html code then you're open to all sorts of cross site scripting tags. There is a parameter setting that allows you to list the allowed tags for user input: sitemap -> acs-kernel -> All. This changes the allowed input for the whole installation. It might make sense though to only change this for the adserver module, in this case you have to find ad_page_contract of the page that checks that input and change the filter from :html to :allhtml.
Maybe that would make sense as standard behaviour, e.g. admins may post any html in adserver, others just restricted. Feel free to post bug in bugtracker.
