There is no way to detect this, as far as I know. Perhaps you could routinely ping a known Internet address using source routing through your client, but I doubt even that would work. The key is prevention and the only way to do that is through configuration control. All remote clients must have the same configuration as any client that is directly connected, with the exception for the VPN software, of course. In all cases, users should not have administrator or root access to the client machine and should not be given the privilege of installing software or changing software configurations. Anything short of that, and you will not be able to prevent split tunneling.
Many corporations do not allow VPN access at all for the reasons that have been discussed. To access corporate resources, they will instead provide an SSL-protected Web portal for employees to access their e-mail or other resources. They still need to authenticate to the system, but the authentication is protected by the SSL encryption. This solution can provide remote employees with basic capabilities, but is not the same as what they would have directly connected.
Other solutions that are used are things like PCAnywhere, GoToMyPC and others. All of these have security problems similar to VPN, and in some cases more, as they rely on a third-party being trusted. I don't recommend those solutions, either.
As always though, remember that there needs to be a balance between usability and security. Only a risk assessment can analyze those trade-offs and help you decide what level of risk is acceptable.
For more information on this topic, visit these other SearchSecurity.com resources:
This was first published in February 2003