1. User 1 in vlan 10, if he connect his laptop anywhere in the building he should be at vlan 10
2. User 1 found administrator password and change his ip to vlan 20 ip, he should NOT be able to access vlan 20, or the switch should block his MAC
whats the easiest way to do this, using the above switches
Let's take first things first. Your 1st requirement:
"User 1 in vlan 10, if he connect his laptop anywhere in the building he should be at vlan 10"
To do this, it is my understanding that you would need a VLAN Membership Policy Server (VMPS), which can be run on a Catalyst 4500 or 6500. As you don't have any VMPS capable switches, it looks like you wont be able to meet this requirement... or you could setup up a 3rd party on FreeNAC.
If you do setup a VMPS, and he changes his IP, he wont be able to communicate with any devices, as either his IP will be out of the range of his Default Gateway, or his self-assigned gateway will mismatch that which the switch is giving him via the VMPS/VTP/VLAN (ie, the switch will still assign him vlan 10).