I performed a migration from ICEcap to SiteProtector but some of these issues I think I can answer.
1) I needed to know what the account password was before for a certain account group since it had got lost. Support told me it is stored in a one-way hash and can not be retrieved. Assume same is true in SP
2) The policies do not set the passwords but it it pulled from the higher group
3) On the ICEcap, if you changed password on the server for an account, all the distributed agents related to that account are now lost and cannot connect back since their password is wrong.
4) The password is encrypted in the package. If you look at the agent's blackice.ini and icecapset.ini files, you will see the encrypted password
5) I have had to build a new agent, install somewhere, and compare the encrypted password of this one to the encrypted password string of the agent in guestion for a match
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.