The "sysopt connection permit-ipsec" command will all traffic that comes inside the tunnel to pass through the PIX without another layer of access-control. Without this command, you need to open up your pix to allow specific traffic to pass that comes through the VPN tunnel. This command is useful only after the tunnel is built.
I am not sure if one can restrict the tunnel building based on the workstation IP address. Can some one throw more light on this?