I don't claim to be an expert, but:
1 - I believe this is correct (the logon via cached credentials)
2 - The computer must have an active network connection BEFORE the user logs on in order to get server-based login scripts to execute.
Depending on your environment, and how much of it comes from Microsoft, this may be easy to remedy. I used to support a wireless environment that used Server 2k3 for AD, RADIUS, and PKI. All workstations ran EAP-TLS via WZC using machine and user certs that we pushed out via auto enrollment (these certs were only for wireless access). We had a GPO that created our wireless profile, forced our profile as the "top" (most preferred) and could not be deleted/moved. We also used the GPO to disable Ad Hoc networks.
Our drives mapped, login scripts ran, etc., just like wired connections.
I don't think that other supplicants can be managed via an AD GPO, but they usually offer a tool for creating a profile. This can then be packaged up and pushed out via login scripts, SMS, etc (Intel PROSet and ThinkPad Access Connections are two that I know can do this).