So you set up a user and you say OK, you can do stuff on the VPN that you cannot do when you're not on the VPN and that makes my server that you are remoting into secure.
Right.
Talking to a firewall administrator today at Datapipe here's how your Cisco Pix really works:
Someone logs into the VPN and gets onto the server. From there they have free reign to do anything your outbound port access allows them to do. If they can get onto the server, they can send all your data to whatever server they want outside that server if your outbound access includes FTP. Apparently if you want to restrict downloading FTP to anyone but, say, and administrative VPN user - you can't do that at the firewall level.
And it also means if you want to allow customers to upload photos, for instance, but not download data, and make their access more secure so only VPN users can upload files, that's not completely solved by a VPN.
Which means you have to count on software - your OS, your applications... and you have to manage via a Windows domain or manage each individual server and cannot globally handle these things at the network level.
And that's scary.