In my experience, the answer to your first question is 'never'. If the browser remains open it sends keep-alive requests every 3 minutes and the session will never be automatically logged out. See this quesion for more information.
If you close the browser, the keep-alives are no longer sent and the session will expire and be removed after about 5-10 minutes
Same behaviour as for a regular user described in answers 1 and 2.
Due to the fact that comments are limited here are my 2 cents:
Am I the only one who find it strange that the license model of Mendix is primarily based on concurrent usage but that as a developer I have no influence on how long a user stays in the system?
The Mendix system should keep track on inactivity from a logged in user! The ideal situation in my opinion is that as a developer I could set the threshold after which a certain microflow is triggered. By not building this into the system it looks like (and I do not say that it is so, but only looks like ;) ) Mendix wants to make sure that the number of concurrent users are as high as possible.