HI Claire,
I think you have spotted an error in the link. I have not labbed this up but I think it would failed the commit as you quite rightly say, the 'chicago' object it attached to the untrust zone. For this to work it would need to be attached to the vpn-chicago zone or attached to no zone in the global address book.
In answer to the question of do we need a separate zone, the answer is no but it is often a good idea as you may want traffic initiated from the remote site to be allowed into your trust zone. The policies can be simpler if the st0 interface is configured in a separate zone.