To seperate traffic that you want to send accross unencrypted from traffic you want to encrypt, you can use split tunneling which is nothing but defining the traffic you want tunneled across using access lists. To configure split tunneling for your client-concentrator tunnel, create a network list to include all the networks you want the client to access over the VPN tunnel. This can be done (on the concentrator) by going to Configuration | PolicyManagement | Traffic Management | Network Lists and clicking on add. After defining the list, go to Configuration | User Management | Groups and select the group the VPN clients are connecting to. Under the split tunneling configuration option, select the network list you just created. When the client connects to the concentrator it will encrypt traffic only for the network specified. For all other traffic, the client will use the ISP connection.

With reference to your second question, I don't think that you can have a GRE tunnel to your concentrator just as you can't have a GRE tunnel to your PIX (... do cross check this though!!). The way I do the same is to configure the gre tunnel between the remote router and an internal router over the vpn, behind the concentrator. Configuration is simple and similar to the configuration that you will put in place with no vpn setup. All that you need to make sure is that just make sure that the gre tunnel traffic is classified as interesting.