I don't have access to systems to verify anymore so this is from memory.
In Shrew soft client you need to select the "tunnel all" option to turn off split tunneling. This will generate an automatic default route up the tunnel once connected.
On the SSG you then need to be sure there is an internet nat policy and security policy from the zone and ip addresses in your pool for the dynamic clients. The internet browsing will come from that pool ip and zone and go to your untrust or internet zone. Both nat and security policies need to be in place.