Can you even hit SMB shares over the internet? Seems to be that the malicious computer would have to be on the same network for this to work.

Indeed you can. Try \\live.sysinternals.com in a Windows Explorer window for an example of it (presumably mounting it in linux would work as well, although I haven't tried).

In theory yes, but many many consumer ISPs filter the TCP ports required to do this, so it might not be as successful as one would expect.

On launch, your application can check to see what directory it's in. If the directory is mounted as the same name as the .dmg image you shipped, then you could prompt the user. "You appear to be running this application from a disk image. This will make the application run slower. You should copy the application to your Application Folder. Do you want to move it there now automatically Y/N/don't show this again." or whatever.

Let's combine this with the zip file approach. Your app is distributed as a zip file containing only the app folder. Safari unzips it automatically, then the user double-clicks your app icon. Your app notices it's in the "Downloads" directory and asks "Would you like to install me to the Applications folder?" If so, the move is done visually by opening two finder windows and literally moving the app icon as if it was being dragged. Afterward the Applications folder remains open displaying the app icon in case the user wants to drag it to the dock.

Some, I think Adium is one, already do this. It's really nice, very use-friendly.