i had the same issue with external vendors using NC, it was assigning them one of the IP's on OUR network so their IP phones would lose connectivity, the only way i was able to correct this was moving them to WSAM

Enabling split tunneling is the way to allow access to VPN protected resources and simlutaneously allow access to internet.

Since you have selected 'Enable split tunneling with allowed access to local subnets' it just ensures that you still get access to your local network even after from where you are trying to estalish the SSL VPN connection.

Along with the network connect ACL's you will also need to add split tunneling policies which contains those 2 networks which are protected over SSL VPN.

Why you need network connect ACL's and split tunneling policies?

Split tunneling policy tell the client what traffic needs to be tunnled.

Network connect ACL's tell the SSL VPN device what traffic to allow and deny.

In order to clear things a bit more up for you:

Normally, when setting up a NC the default route is altered to send traffic to the SA. This means that all traffic not destined for the local subnets of your networkcards will be sent to the SA, including all internet traffic thus. You could allow the user to internet over your connection, but that wouldn't be very wise usually and due to the added delays undesirable too.

Anyways with split tunneling you can tell what subnets are behind the SA. Then only routes for those subnets are added and pointed to the SA. You can verify this in your routing table. All other traffic will take the normal routes as already configured on the client machine.

Here you can see my routing table with split tunneling:

flaptoppy ~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.20.30.254 0.0.0.0 255.255.255.255 UH 1 0 0 eth0
80.84.244.135 10.20.30.254 255.255.255.255 UGH 1 0 0 eth0
192.168.255.0 10.230.255.1 255.255.255.0 UG 1 0 0 tun0
10.20.30.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
10.240.0.0 10.230.255.1 255.255.0.0 UG 1 0 0 tun0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 10.20.30.254 0.0.0.0 UG 0 0 0 eth0

As you can see only 192.168.255.0/24 and 10.240.0.0/16 are routed to the SA. Hope this clarifies.

You need to keep in mind that the 'allow access to local subnet' is doing just that. If that company has an internal network of 10.32.0.0/16 and have subnetted that /16 network into various /24s, then while they will continue to have access to 10.32.x.0/24, they won't be able to access any other internal subnets. It it were me, I'd have purchasing and legal (who negotiated the contract) ammend the contract to specifiy the use of a site-to-site VPN with appropriate f/w rules for both parties. I realize that this doesn't answer your question, but would be how I would handle it because even if you allow NC over ESP, only the first user connected is going to be able to use it, everyone else will fall back to NC over SSL.