1) If you don't want your VPN users to go through the access lists configured on your PIX, you can use the "sysopt connection permit-ipsec" command.
If you don't, then the VPN users would have to go through the access lists. But which access list are we talking about? The one placed on the outside interface?
2) What if you have VPN users from the internal network (connecting to the inside of the PIX). Then which access list would they be concerned with? The inside one?
I would prefer to receive answers from someone who has verified the above in a lab or someone who is really confident of his views.