I try to answer all your questions, but please try to think from the other side with less bias if possible
1- "Allow duplicate IPs" in system setting is not very useful because two people in same house should be able to use the games at the same time ON DIFFERENT TABLES or SEPARATE TOURNAMENTS. That's where your Ring table IP restriction comes to help.
2- I'm not sure why you emphasis on IP more than Account. We don't care who registered with what IP, we just want to make sure no duplicate IPs are in the game, ESPECIALLY in freerolls that even if the player loses his registered place, there will be no need to refund (0) to him.
For example:
-> John registers with any IP , Jane and other players can register with identical or most probably different IPs.
-> Jane connects to game with IP1 , now the IP1 is DEDICATED to JANE at the moment. No other player can use that IP1 FOR SAME FREEROLL as long as Jane's session is alive. If John tries to connect with same IP, he will receive a "We're sorry" error and some instructions to renew his ipconfig or switches to another VPN/proxy channel or reboot his router and then try again.
-> Jane gets disconnected or her IP1 has now changed to IP2 after the break. Now another player tries to connect to the game with IP1, your IP-Session hash table should simply show that IP1 is not dedicated to any ACCOUNT now, so it is allocatable.
You can do your final checks , if necessary, with a cookie (or computer id?).
Please consider this math:
-What's the probability that two different Internet users come to same PM sever at the same time and want to play same tournament?
-Now what's the chance that we have at least one cheater in our turneys, specially if they are aware of this flaw?
Again, please consider three things:
1- This wouldn't be too much work for you and no hurt to the player if it's a Freeroll
2- Players feel more fairful games, less cheated, and they will admire PM. I am very involved with players and been in this business for years. I also have a big forum just for poker (can send you the url if you like), and I see many complaints about players who lost the tournaments because of being "pressed" by two colluders on a table.
3- Aren't you going to consider adding ipv6? this will eliminate the problem forever.