It literally depends on the website, and your goal.
The hackers / pentesters would have to first find a vulnerability and place their code there, yes (in the case of putting code onto another public server, like the one I mentioned in my malware post, where my clients had code inserted into their static webpages.)
As for your own server, accessibility is determined by the victim's need to reach your server. So if you're on the LAN with the victim, then it'd need to be reachable from other machines on the LAN / subnet. If your target is remote, then obviously your box needs to be reachable from wherever the target is.
If you're out to try to 'exploit the world,' then you'd need to be on a publicly-visible IP address / webserver.
So for your specific requests:
Paragraph 1 - yes, in the sense that you'd create the page with Metasploit, then upload onto the server
Paragraph 2 - yes, unless you're up to some XSS or other attacks. But for your purpose, as explained in your post, for straight exploits on hosted pages, you'd exploit first, then place your code.
Paragraph 3 - Depends on the IP, and accessibility from the public side, that you have assigned to your Metasploit host machine.
In short, your post basically seems to ask if you could use MSF to create publicly-accessible and usable exploits, hosted on public websites.
Also... (sorry for edits...)
As far as obtaining hosting space - nah. You could register your address with dyndns, port-forward from your router to your MSF box, and wholla! You're hosting a page, which you could either use directly, or link to from someone else's page.
Last edited by hayabusa
on Sun Oct 16, 2011 3:51 pm, edited 1 time in total.
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH