1- Yes - before you can remove I/F settings you need to change to null zone. Does not affect policies in place.
2- trust.vr is actually a "virtual router (VR)" and that concept is seperate from zones. Zones exist within a VR. I would not worry about VR's right now. Just make sure everything is in the trust.vr.
3- If you have multiple I/F's in the same zone (example trust) then by default traffic is allowed to flow between them.
4- Otherwise traffic flows between zones require a policy.
5- You do not need a VPN to have the box act as a regular FW/Router. Outbound traffic will flow (example trust to untrust) if policy is enabled. Inbound return traffic that matches an outbound flow will automatically be allowed in.
6- If you want to allow new, inbound traffic you would need to create a policy (example untrust to trust) to allow that traffic in, using the address book and the other policy options to control the flow. Also that is when you get into more of the NAT use.