The VPN client does have a personal firewall built into it now, this firewall can be enabled all the time, or just when a tunnel is built. Currently only the VPN3000 concentrator can actually push a firewall policy to the client.
If all you want though, is to deny access to the PC except for PC-initiated connections (no-one from outside can initiate a connection to the PC), then this is the standard policy and can be enabled just by selecting the "Stateful Firewall Always On" menu option within the client, no head-end concentrator is needed.