i don no how to break ips to separate. can you please help me.
This means using subnetting. The Network Administrators Guide covers what that means.
Another type of VPN configuration will use an encrypted PPP connection. This doesn't need sub netting.
Another is IP/sec such as open swan. A newer technology is L2TP.
You can use an SSH tunnel to connect the user to a the network. This is still a VPN. You should explain what the user will be able to do. What is the server you mentioned for?
The part of your question of denying the remote user access to web connections or their own LAN on this laptop is a separate issue. You need to deny the user root access and configure the routing table to use the tunnel as the default gateway.
I don't understand why you don't want to use a VPN since any secure remote connection to your corporate LAN is a VPN. That is what you want to do.