Scott Mitchell has continued the great ASP.NET 2.0 Membership, Roles and Profile Tutorial series he started a few months back, and has now posted parts 3 and 4 on it. You can read the series here:
Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 1)
Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 2)
Examining ASP.NET 2.0's Membership, Roles and Profile (Part 3)
Examining ASP.NET 2.0's Membership, Roles and Profile (Part 4)
In part 4 he discusses the Membership API's support for locking out users, as well as temporarily disabling accounts after too many failed login attempts. Specifically, you can configure ASP.NET to automatically disable an account after a specified number of failed login attempts (to avoid password dictionary remote hack attempts). You can then use the "UnlockUser()" method on the MembershipUser class to re-enable an account. I've seen several questions recently from people wondering how to-do this -- so it is great to see him cover it here.
One other question I see asked a lot on the forums is how someone can build their own custom admin pages for managing Membership and Roles information for their site. Peter Kellner wrote two great articles for MSDN that walkthrough how to build something like this (even using a GridView + ObjectDataSource to bind against the users in the database). You can check them out here:
Microsoft ASP.NET 2.0 Member/Role Management with IIS, Part 1: Security and Configuration Overview
Microsoft ASP.NET 2.0 Member/Role Management with IIS, Part 2: Implementation
For more information on ASP.NET 2.0 Security Topics, please checkout (and potentially bookmark) this blog post of mine here. I'm trying to link off to good security resources + samples I find on the web with it, and make it a one-stop place people can go to find good security related information.
Hope this helps,