Yes, you can use Win2000 IAS as the radius server for PIX515 to authenticate your VPN users. In IAS you can configure a vpn group and make the vpn users as the member of that group so that even the users who belong to your win domain but dosn't belong to vpn group will not be able to login to VPN. To make your VPN more secure you can use two factor authentication so that the vpn users can use a token to generate a "one time password/response" to the challenge received from the vpn system.
So in order to login to VPN the user will provide their windows password which will be passed on to a middle tier who will pass it to IAS server and if it matches then the middle tier will send a challenge to the user and will be expecting a CORRECT response, the user will generate a "on time password/response" with the help of a token and inputting the challenge into the token. When the middle tier receives the correect response it tells the PIX that the radius authentication is successfull.
For the PIX the the middle tier will be the radius server which in turn uses IAS in the background to verify the initial user windows password. You can look at following middleware/token products:
http://www.vasco.com/products/product.html?product=11
and Digipass tokens.
I DON'T work for Vasco. I have used their products in past and found them reasonably priced and very good solution.
Good Luck.