This is not correct. VPN simply extends security policy to a different location. A VPN user must make sure that local security policy prevents other traffic from entering VPN connection.
This is nice in theory, but in practice is simply not true. even assuming that the most restrictive settings are used (user may not install software by admin setting, has no local administration on his machine, IP traffic other than via the VPN is exclusive to the vpn client) it is *still* possible that the machine could be compromised by (say) an email virus who then bypasses security by any one of a dozen routes.
Welcome to the world of formal security models. If in theory a VPN is nothing more than a tool of extending the security policy of a site to a remote location, then it does not matter what kind of things you try to achieve with it, it *wont* work for anything other than extending a security model of a site to a remote location. Can one try to use it for something else? Sure, one can. It may even work for a little bit, as long as it does not contradict that security model. Your VPN connection dropped you back into your site. If it is site's security model that all mail comes in and goes out via some mail server that filters out email viruses, and via VPN you are virtually in a footprint of that site, then why are you not using the site mail server or why is the VPN client lets you not use it? If it does not enforce the site's security policy, then it is a BAD VPN client. Alex