I think you're on the right track there, as I've been trying to do the same thing. I created a new user role and then used the ZenUser and ZenOperator users as a guide. So I selected the following:
Administrators View, Change Event Views, Define Commands View, Maintenance Windows View, Manage Events, Run Commands, ZenCommon.
Then back in the normal Zenoss front end I assigned that role to a user. Then I added that user to a group and defined the administered devices to that group. At that point I'm pretty sure that the user with the new role could only see the specified devices and that they could manage events.
It's been quite a few weeks since I was playing was this and I can't quite remember how I left it as I've been caught up with other things. So I hope this helps.
Like you, and others I guess, I do find it a bit annoying that a relatively simple concept isn't available, or that the documentation is less than forthcoming on the subject.