You'll need some kind of storage (eg. XML file or database) to keep record of the attempts and mark the account as locked. My best suggestion would be to log the first failed attempt and keep a counter. If the attempt is over 2 hours ago, reset the counter and replace the 'first failure' time with the current time. If the counter hits 3, the account is locked and a 'release time' is recorded in your record (2 hours later maybe? It will be empty if the account isn't locked). Don't forget to reset the counter and failure time if they successfully log in. Also, if they try to log in after the 2 hours is up (ie. after the release time), reset the release time to null.
Hope this helps.

The attempt for login for each user is handled with Session objects. On session start (global.asax file in project) initialize the value of the object to zero.
protected void Session_Start(Object sender, EventArgs e)
{
// Initialize the counter to zero
Session["LoginCounter"] = 0;
}
After each non-successful login increment that value by 1.
For login see the links:
http://www.ondotnet.com/pub/a/dotnet/2004/02/02/effectiveformsauth.html
http://www.csharpfriends.com/Articles/getArticle.aspx?articleID=70
http://www.devhood.com/tutorials/tutorial_details.aspx?tutorial_id=85

Unfortunately, that approach means that the user just needs to restert the browser for another 3 attempts.

I think the solution is much simplier. As I understand the request, the user is on a screen and trying to sign on, after the 3rd unsuccessful attempt, some sort of event is fired off to lock the account.
So, when the user enters their information and presses some sort of button:
1) Check the validity of the userid/password
2) If unsucessful, increment the global counter by 1(set initially to 0).(The counter needs to be at a class level)
3) If the counter = 3, lock the account.

No, after three unsuccessful tryings he can lock the account. The session helps to determine that we are counting for the same user continousely.
However, why it is necessary to lock the account. You probably mean for few days.

I think the requirement needs more definition:
Either it is to check 3 times within the same session (which I think he is asking) or 3 times for all sessions(which wouldn't make sense, since a person could put in the incorrect passsword day 1, day 30 and day 365 within a year and with this logic, they would be locked out on day 365)