1 - you'll need port 80 open for people who don't specify the protocol - ie they just type www.domain... You'll also need a redirect to bump these people to port 443
2 - 443 - make sure that all resources (images, css, javascript, etc) are also https, or you'll get a mixed content warning
3 - client browsers won't need anything special as long as your ssl certificate is issued by a known provider. most browsers have lots of trusted authority certificates packaged with them (sorry, not exactly sure of the correct terminology)
4 - see above; shouldn't apply at all
Best Answer
http and https refer to the protocol in use.
http is used for unencrypted cleartext communication, which means transferred data may be intercepted and read in plain by a human. Username/password fields may for instance be captured and read.
https refers to SSL/TLS encrypted communication. It must be decrypted to be read. Normally/ideally only the endpoints are capable of encrypting/decrypting the data, although this is a statement with caveats (see edit below).
Therefore https may be considered more secure than http.
:80 and :443 refer only to the server port in use (i.e. it is "just a number") and carries no significance at all with regards to security.
However, there is a strong convention to send http over port 80 and https over port 443, which makes the combinations in the question more than a little unorthodox. They are technically perfectly usable though, as long as the endpoints are in agreement and no intermediary filter objects.
So to answer, http://example.com:443 is less secure than https://example.com:80 and the difference is practical (even though it can be offset in a number of ways) and not merely theoretical.
You can easily test the validity of these statements using a webserver and client where you manipulate the serverport and the encryption status, whilst capturing and comparing each session with a protocol decoder such as wireshark.
[EDIT - caveats regarding the security of the client/server path]
What essentially amounts to an https man-in-the-middle attack can be performed for purposes of eavesdropping or impersonation. It may be done as an act of malevolence, benevolence or as it turns out even due to ignorance, depending on circumstance.
The attack can be done either through exploiting a protocol weakness such as the heartbleed bug or the Poodle vulnerability, or through instantiating an https proxy between the client and server in the network path or directly on the client.
Malevolent use does not need much explanation, I think. Benevolent use would be for example an organisation proxying incoming https connections for purposes of logging/ids, or outgoing https connections for filtering allowed/denied applications. An example of ignorant use would be the Lenovo Superfish example linked above or the recent Dell variation of the same slip-up.
EDIT 2
Ever noticed how the world keeps the surprises coming? A scandal just erupted in Sweden, where three county council healthcare organisations have used the same supply chain for registering health care events through patient telephone calls.
As it were, the question thereby gets an answer on the grand scale of things. If only it were a practical joke and not an actual event...
I will simply paste two snippets translated from the news text in Computer Sweden:
I cannot decide if this is yet another example of ignorance, or if we’re seeing an entirely new category. Please advice.