I'll start from the top:

I have setup an ASA site to site dynamic config with named tunnel groups which all works fine. My question is, just for testing purposes after setting up the site to site VPN, i then went to ping the outside interface of both the ASA's which i excepted the pings to be dropped but weren't. 

Without any ACL applied coming in on the outside interface of both ASA's, it still allows the ping to the outside interface (not through the VPN tunnel, from the ISP cloud in the middle)

With a deny ip any any applied in on the outside interface it still allows the ping  (not through the VPN tunnel, from the ISP cloud in the middle)

With the "sysopt connection permit-vpn" command (which as i understand allows VPN traffic coming through a tunnel to bypass any interface ACL's) applied it still allows the ping  (not through the VPN tunnel, from the ISP cloud in the middle)

With the "no sysopt connection permit-vpn" command applied it still allows the ping (not through the VPN tunnel, from the ISP cloud in the middle) 

But if i ping from the other inner VPN network on the right (PC2) with that command still apllied it does not allow the ping now, when i add the  sysopt connection permit-vpn command again it allows the VPN traffic. 

So the interesting thing is with the no  sysopt connection permit-vpn command the ACL applied coming in on the outside interface still does not affect the traffic not coming through the VPN tunnel and passes it but it does affect traffic coming in on a VPN tunnel.

Update: Quick thought, am i missing something here or confusing myself, is it default behaviour for an IP somewhere on the "outside" to be able to ping the outside interface with a security level 0 for the ASA anyway?

Both the same-security-traffic permit commands have been applied also and i changed the "outside" interface on both ASA's to security level 100 to see if it wouldn't work then but it did again.