It appears that you are missing an exception in your HIPS firewall rule(s) to allow for vpnagent.exe to communicate on port 80. Though, based on the title of your post, this is a bit confusing because you say that your end-user is unable to access the Internet unless they use the VPN.
An easy way to figure out what rules you need to configure in your HIPS firewall rule(s) is to turn on 'Learn Mode' for both incoming and outgoing. You will then be prompted by the firewall for either an 'Allow' or 'Block' whenever an unknown connection is attempted. By using this feature, you can find out exactly what is blocking access to port 80/443/8080 (common http/https Internet protocols) and then add those exceptions to your firewall rule.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.