The general answer is alot of this depends on what you are securing in your app and how tight you want things to be. Other general piece of advice is that 2011 is a bit late to roll your own authentication scheme -- lots of better options are out there.
There are a few ways of handling password resets, one model uses the "separate security question" as a secondary way to identify people so you can perform a password reset online. There are other models, but the advantage to this one is you have got a good idea that this person isn't the guy who hijacked my email account and is now resetting my passwords to get access to stuff.
Activation emails are more of an anti spam and anti impersonation thing -- you are verifying that this person has access to this email account and can click on a link. Kind of prevents people from either hijacking someone's email address and also puts a damper on some forms of automated sign-ups.