http://www.ask.com/web?qsrc=1&o=15142&l=sem&q=+O+p+e+n+W+i+k+i+-+alert%28%27David%27%29
You didn't actually do anything, other than find a page which itself happens to be (unintentionally) exploiting some sort of hole.
Edit: I'm wrong -- I lazily only tested in chrome with its XSS protection enabled (somewhat impressive that the "David" alert gets through in that context). In non-XSS protected browsers, your XSS works as well.
I'm not sure your understanding of XSS is correct... I recommend reading these two articles, the first explains XSS, and the second explains how noscript tried to mitigate the risk.
In general, yes, you'll want both network scanner and web scanner. Nexpose is free for 32 IPs if you have a small net you're concerned about.
Yes, post login scanning is possible, but more difficult. First of all, you need to be careful about what you're scanning: for instance if you scan a "delete users" function without thinking carefully about what it's doing you might have a bad time. ;-)
With burp you can use the built in session handling which is a bit complicated, or manually log in and have the tools set up to use the cookie jar. Most other tools have similar functionality, and the $$$ tools like Appscan and webinspect have easier to use wizards. Acunetix is somewhere in the middle of the cost/ease of use spectrum, and is a pretty good value.
See https://portswigger.net/burp/help/options_sessions.html for some info on this, but there's a lot of quirks to deal with in various appllications, and this is part of where a pro or more expensive tools show their value.
You can practice on test targets like DVWA which have a login to see how it goes in general..
http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470 .Currently I am reading this book and I highly recommend reading it before jumping into XSS cheat sheets. It does cover XSS vulnerability in detail.