Ron,
You have a few options:-
1) Tunnel all traffic and route internet traffic thru an internal proxy server
2) Tunnel all traffic and let the internet traffic leave directly from the PIX/ASA outside interface
3) Configure split tunneling and only encrypt your internal IP subnet traffic, let the users break out locally for there internet provider.
Pptions 1 and 2 do not allow local access to the users own lan - this can be fixed by tunneling all traffic, but allowing LAN access.
There are some security concerns, while the user is connected to the VPN, the machine could be used as a jump off point into your network if the users has access to the internetl locally.
If you tunnel all traffic and break out from your PIX/ASA for the internet, if the users machine is compromised - you could black list your internet IP from your company location.
It really depends on your network/security policy.
HTH>