ACL's on a PIX are a bit different if you're used to conduits. In answer to your questions:
a) Yes, it most certainly does. When you apply an ACL on a higher security interface start by blocking the outbound traffic you don't want, then permit everything else (or write a list of explicit permits which would not be easy).
b-1) Yes, they have full access except in two cases. First, if you're using vpngroups with split tunneling you'll find that they can only access resources in the internal networks you listed when you defined the split tunneling ACL. Second, if you're using authorization you can restrict access with using an ACL. This requires a AAA server. No statics or conduits are required.
b-2) It depends. For just generic client VPN, no. Keep in mind that as soon as you apply an ACL to a PIX interface the usual higher-to-lower-is-permited behavior changes. For example, if I write an ACL to permit a DMZ host access to a higher-security network, I have to make sure that my ACL then explicitly permits traffic to lower-security interfaces, or the internet (assuming I want this). The implicit deny of a Cisco ACL is very much in effect.
b-3) I don't know, I haven't tried it. My understanding is that you'd have to write an outside interface ACL that explicity permits IPSec traffic. If you want to restrict VPN users there are easier ways.
Your questions aren't stupid, it's not a clear-cut subject. Let me know if anything needs clarification. Have a nice weekend.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :