1. It is probably better for you to code a routine that will read a template and parse certain variables when you output the templates contents. You could have a template editor (a basic TEXTAREA HTML code with some PHP File I/O) if you wanted to edit the template over the Internet (and not locally on a shell or something). Use arrays and str_replace (fastest), ereg_replace (slower than former, but not noticeably so) for substitution.
2 & 3: User and Admin pages can be separate or coded together (you just output certain other fields if a session cookie is set for an administrative user) to make it easier, or code two separate pages one for viewing (user) and one for editing (administrative). It's really up to you. Don't let the user input passwords on a GET query, since they will show up unencrypted (if you didn't encrypt them first) in your browser URL.
One thing I would like to stress: Don't trust any user input. I mean that. And for those of you reading this, watch what I do:
$query = "SELECT * FROM news WHERE item =" . $id;
and in the browser, one could go like this:
http://yourhost/page.php?id=;DROP DATABASE mydb;
Can you guess what happens next? The query now turns into this:
$query = "SELECT * FROM news WHERE item =;DROP DATABSE mydb;";
The first query will error, but the second one will go through nice and dandy - along with your database!
Of course, with PHP register_globals can help with this.. but don't do it anyway because you can never be sure what version of PHP you're using or the state of register_globals (where both can be sought after programatically).
I've just demonstrated an SQL injection. DON'T LET IT HAPPEN, or I will find you and slap you upside your head so fast you'll choke on the recoil.
Check input with regexes, variable type checking (making sure a string is a string and an integer is an integer) or just plain switch cases.. but don't let anyone muck with it.