When you configure the PIX, usually there is a new nat pool assoicated with the incoming VPN user. You can use this access control list to restrict the VPN user access. For example: the pool for the VPN user is 10.10.10.0/24 and the only server they can access is 192.168.10.1/32. The related command will be:
access-list 101 permit ip host 192.168.10.1 10.10.10.0 255.255.255.0
nat (inside) 0 access-list 101
You can also relay the user authentication to AAA server and create the dynamic access control list per user/group based.