I'm commenting on the things you raise out of order. I want to tackle
the following aspect first, because it may affect your understanding of
AT commands generally.
I think you've misunderstod the query forma of AT command syntax. They
are not three parameters, but three supported alternative values for
parameter 1.

Let's take this AT+CGREG command as our example. Certain (but far
from all) commands have three types of syntax. They are:

1. Set the value for the command on the modem. If you want to
set +CGREG to zero, the command is "AT+CGREG=0".

2. Query the present value. The syntax for that is "AT+CGREG?".

3. Query the range of values supported by the modem. This is the
"AT+CGREG=?" command.

In the case of this command, only the first parameter can be set.
That's the mode of responses to subsequent "AT+CGREG?" commands.

Your "AT+CGREG=?" command result is telling you that +CGREG can be set
to either 0, or 1, or 2. The other value defined in 3GPP 27.007 is 3,
and your modem is telling you that it doesn't support being set to 3.
This is telling you that you've got +CGREG set to 2.

The 1 in the second parameter says that your modem is registered on your
home network.

And then there's the LAC and cell ID, of course.

If +CGREG was set to 0 or to 1, you'd not be getting LAC and cell ID
information.

Now modes 1 and 2 also provide unsolicited reports. That's to say,
you'll get a "+CGREG: ..." result whenever there's a change in the
cellular environment which affects +CGREG.
That's giving you the operator name. You can set it to give you the
network ID (MCC concatenated with MNC) instead, using "AT+COPS?" after
configuring it first with "AT+COPS=3,2".

The nalue 3 in the first parameter means "leave the value in the first
parameter unchanged".

Assuming that you don't have a data connection up, the command
"AT+COPS=?" will do a little more than report supported values. It does
a network scan, and will report all networks visible to your modem at
the time. It can take a while (from several seconds to more than a
minute) to come back with results.
I don't know where you got that bit about <format> from, but it's
not right. It seems to me that you're thinking about the "AT+COPS"
command there.

In fact, "AT+CREG" and "AT+CGREG" behave in the same way. The differnce
is that "AT+CREG" lives in the circuit-switched domain, while "AT+CGREG"
works in the packet domain (ie, with GPRS as far as GSM is concerned).
Personally, I'd avoid any potential problems with the APNs required for
GPRS, and use "AT+CREG=2" instead.

In fact, if you want a one-shot reading of LAC and cell ID, with no
unexpected unsolicited results to follow, you can do that with the
composite command:

AT+CREG=2;+CREG?;+CREG=0
You need to get out more :).
I downloaded an AT command reference for your module from:
http://www.espruino.com/datasheets/SIM900_AT.pdf

There are some very powerful commands available in engineering mode,
including what looks to me like Network Management Results. This should
give you at least signal strenghts for the strongest 6 neighbouring
cells.

It looks like you can also read the timing advance (TA) value. Multiply
that value by 553.5 metres to give you the approximate distance to the
cell you're camped on. If you're moving, or if the cell changes, you
need to interact with the tower so that the module updates the TA
value. Otherwise it'll be stale.

In the past, I've used "AT+CLIP?" to force such an interaction, and
refresh the TA value.

John