Core issue
Since users hit the servers through their global IP addresses, the traffic cannot be stopped by issuing the nat (inside) 0 command to an Access Control List (ACL).
Resolution
Remove the sysopt connection permit-ipsec command from the PIX Firewall configuration. Add statements to the ACL applied to the outside interface permitting Encapsulating Security Payload (ESP), UDP 500, and the traffic from the VPN pool to the specific server.
For more information on how to configure PIX ACLs, refer to Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX.