It literally depends on the website, and your goal.  

The hackers / pentesters would have to first find a vulnerability and place their code there, yes (in the case of putting code onto another public server, like the one I mentioned in my malware post, where my clients had code inserted into their static webpages.)

As for your own server, accessibility is determined by the victim's need to reach your server.  So if you're on the LAN with the victim, then it'd need to be reachable from other machines on the LAN / subnet.  If your target is remote, then obviously your box needs to be reachable from wherever the target is.

If you're out to try to 'exploit the world,' then you'd need to be on a publicly-visible IP address / webserver.

So for your specific requests:

Paragraph 1 - yes, in the sense that you'd create the page with Metasploit, then upload onto the server

Paragraph 2 - yes, unless you're up to some XSS or other attacks.  But for your purpose, as explained in your post, for straight exploits on hosted pages, you'd exploit first, then place your code.

Paragraph 3 - Depends on the IP, and accessibility from the public side, that you have assigned to your Metasploit host machine.


In short, your post basically seems to ask if you could use MSF to create publicly-accessible and usable exploits, hosted on public websites.

Yep!  

Also...  (sorry for edits...)

As far as obtaining hosting space - nah.  You could register your address with dyndns, port-forward from your router to your MSF box, and wholla!  You're hosting a page, which you could either use directly, or link to from someone else's page.

Thanks guys, i'll have to look into this when I get back home, and can try this in the lab. Might have some more questions when I do.

Attackers typically compromise sites and use something called an exploit kit. These 'kits' allow the attackers to try a variety of different browser/flash/pdf exploits against the target to get it to download malicious software.

Information about the current exploit packs can be found here:
http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html