I have multiple subnets, maybe in multiple zones, that need to use a site-to-site VPN tunnel.
Set up a "Site-to-Site" VPN. Create an address group that contains all the subnets (regardless of zone) that need access to this VPN. Create an address group that contains all subnets on the remote side. Use those group objects in the Network tab of your VPN as the "Choose local network from list" and "Choose destination network from list" as appropriate.
If you have a non-Sonicwall firewall on the other end, it may be informative to know that these groups are used to set up proxy-id pairs; set your policies or proxy-id settings accordingly.
I couldn't get this to work in tunnel mode.
If you have a SSLVPN network defined, it probably overlaps with one of your internal networks. If you include that internal network, you don't have to include the SSLVPN object in your network group. Note that this may not be what you want -- see SSLVPN Access to VPN Networks