Users have their AnyConnect .xml profile set to not allow local LAN access when the VPN is connected.
Split-tunneling is configured via AnyConnect and is working fine.
The split tunnel policy is set to tunnelspecified.
Test user is able to connect to machines on his local (home) network segment, which uses a network ID that is not specified by the tunnel config.
How is this possible? My understanding is that (a) split-tunneling should not work if this setting is disabled, as internet destinations (for example) cannot use the local LAN adapter, and (b) the user should not be able to access systems on their local LAN??
I verified that any client-side tools like web proxy clients etc. are disabled and this behavior persists.
Is there a gap in my understanding? Why is this happening?
Here is some information to better assist your understanding between split tunneling and local lan access:
Split tunneling & Local Lan Access are two separate things. From within AnyConnect: If you look at VPN 'Statistics' tab, under tunnel mode (v4) it will either say tunnel all traffic or show you what is configured for split tunneling. Also, if you go to 'Route Details' tab you should see a secured routes all 0s meaning everything is secured & tunneled over vpn or specific prefixes hinting that split tunneling is enabled.
To clarify more, Split tunneling allows use to specifically configure what traffic is sent over the vpn tunnel, and what traffic is unencrypted and sent over internet via local network GW.
Local LAN Access is a hybrid solution that tunnels all traffic over VPN (encrypted), but local network access is allowed & unencrypted. Note though that the local network access is restricted to that subnet only. Essentially once configured & allowed, "Allow local LAN access" automatically detects and permits the local LAN connectivity, while tunneling & securing everything else. HTH!