Make sure you keep “none” for templates.
Yes.
Unless you know what you are doing, don’t choose sys-net. Just use sys-firewall for clearnet. sys-firewall provides additional filtering capabilities if you want to limit services and IP addresses a qube can connect to. Though if you don’t use them, then maybe this doesn’t make any difference.
See this thread: Qube Settings Caution Bang: What's this mean?