How do I implement the requirement that IPSec VPN clients can also surf the Internet, but are routed through a dedicated Internet firewall? 

With the following configuration, a default gateway overwrite can be set up for the ASA. In this case, the unknown traffic that comes via the IPSec tunnel is forwarded to a second firewall.

conf t
! default gateway route pointing internet router
route public 0.0.0.0 0.0.0.0 192.168.0.246 1
! tunnel default gateway route pointing internet firewall
route intern 0.0.0.0 0.0.0.0 192.168.1.9 tunneled
end