It appears that you are missing an exception in your HIPS firewall rule(s) to allow for vpnagent.exe to communicate on port 80. Though, based on the title of your post, this is a bit confusing because you say that your end-user is unable to access the Internet unless they use the VPN.
An easy way to figure out what rules you need to configure in your HIPS firewall rule(s) is to turn on 'Learn Mode' for both incoming and outgoing. You will then be prompted by the firewall for either an 'Allow' or 'Block' whenever an unknown connection is attempted. By using this feature, you can find out exactly what is blocking access to port 80/443/8080 (common http/https Internet protocols) and then add those exceptions to your firewall rule.