I recently has a problem with a zencart site I built

Customers were ordering but sometime the order email would have their billing address but a name and email address that belonged to another customer. So the confirmation email went to someone else!
Usually someone who had just bough the same item just prior or a few orders prior to them.

So I
* changed passwords on mysql, server and site - just in case
* upgraded to version 1.3.8 - latest version
* added in extra php code to includes/applications_top.php as advised in another thread
* restricted address book to allow only one entry in admin>maximum values
* manually went through the databse in phpmyadmin and deleted erroneous address book listings
* purchased an SSL cert rather than use shared SSL

So far the problem has not repeated.

Now my questions:

1. The who's online facility does seem to show some customers logged in 1 ,2 or 3 times with active or inactive carts. Even though the customer name is the same the IP addresses are different. More often than not they are looking at the same product ( it's selling well just now)
Is this correct? I dont really understand how the data is displayed here and there's not much documented about it that I can find. Why would one name be in there several times? Are they really the same person or does the who's online show the wrong name until they create an account.

2. The site owner is understandablly concerned that people are trying to buy but cant. I have run test orders with no problems but he feels that because these people with different IP addresses but the same name appear add items to their cart and then do not purchase that there is some issue.
Is this likely or is it just we dont understand who's online?

3. Finally I have no idea why the above issue started. How do I prevent it from happening again and have I done all I can do to fix it?

regards

Richard