1 "allow external Cisco VPN clients to use one server out of four only"
config filter apply to the group level can control this easily. Or if you have a router behind the VPN 3005 concentrator, put a access-list to control the traffic from the ip address pool for VPN clients will do as well.
2 "At the same time, we need to allow other normal external users to access the remaining 3 servers. " If you mean other nomal external users can access your 4 servers without using VPN, why need control for question 1 ? Because those users do not need use VPN can access 4 servers through internet any more.
3 ". Lan users are on a private netwrok and they also need to access all the four servers as well as internet surfing. "
This has nothing to do with VPN 3005 concentrator. If have a PIX, put 4 servers in the DMZ 1 interface, and concentrator in the DMZ2 interface, inside interface connect to your local LAN, outside interface is the internet.
I am pretty sure you can make above working fine.