like this:
#domain.com/user-66
RewriteRule ^(user\-)([0-9]+)$ /user.php?id=$2 [L]
#domain.com/user/66/
RewriteRule ^( user)/([0-9]+)/$ /user.php?id=$2 [L]
#user.domain.com
RewriteCond %{HTTP_HOST} ^([0-9a-z\-]+)\. domain\.com$ [NC]
RewriteRule ^$ /user.php?login=%1 [L]
The last option with virtual subdomains is only possible if you have access to the server settings.

And it’s also easy to make your own 404, in the same .htaccess write
ErrorDocument 404 / error404.html
or

or
ErrorDocument 404 /index.php?error=404
or whatever.

In order to prohibit direct access to files in apache, there is the Deny command
. For example, to deny access to any folder (a real one), you need to put .htaccess with the Deny from all line in this folder.
But trying to reach such a folder is already a “403 error” “Access denied” and in general .htaccess
should already be written
ErrorDocument 403 / error404.html

Is it possible to force it to throw parameters not by GET, but by POST?

habrahabr.ru/blogs/webdev/101585/ - about your 3 points

I believe that the rules of the form
RewriteRule ^(user\-)([0-9]+)$ /user.php?id=$2 [L]
as suggested to you in the comment above, although they are correct for this task, but in the consequences lead to a strong growth of .htaccess with the growth of the site - then you will want to make not only such urls for users, but also for the directory, and for articles something like "articles/title.html". A somewhat more general principle for creating beautiful CNCs is described in my comment here habrahabr.ru/qa/1488/#answer_6155

Created this .htaccess
RewriteEngine on
RewriteBase /
#domain.com/mode/id/
RewriteRule ^(\w+)/([0-9]+)/{0,1}$ /index.php?mode=$1&id=$2 [L]
Deny from all
ErrorDocument 403 /index.php?error=404
ErrorDocument 404 /index.php?error=404
Now everything is forbidden.