This behavior does not affect the functionality of the VPN connection and is working as designed.
Once you install Network Connect or Pulse Secure Desktop client, your computer becomes multi-homed, meaning your machine has multiple interfaces. Since the VPN Tunneling client function is to serve as a remote access method, it is always assumed that machine's NIC is configured on a disjointed network, or a network that is physically separate from your VPN network. Only one default gateway needs to be configured on any multi-homed computer. The default gateway is a global configuration setting and not a setting that must be set for each network adapter, unless both NICs are on the same contiguous network and you require fault tolerance.
The VPN Tunneling configuration by the Connect Secure admin already pre-determines the networks that must be routed through the VPN tunnel. A route will be added for those networks once the VPN is connected. This method ensures that traffic meant for the corporate intranet is routed through the VPN tunnel while all other traffic will go through the machine's NIC.
When you have disabled Split Tunneling, the Default Gateway is set to your VPN Tunneling IP since all network traffic from the client should go through the tunnel. In Windows XP, VPN Tunneling routes are added with a lower metric (the route with the lowest metric is the one which will be used), but in Vista/7 the local routes are removed completely to ensure all traffic is routed through the VPN tunnel. (See KB17354 for more information.) The Default Gateway is also set to your VPN Tunneling IP when you have chosen Allow access to local subnet, but SA will preserve the route on the client retaining access to local resources such as printers.
