If you setup an IPsec (tunnel) VPN connection for your remote users, which it sounds like you have; you are experiencing one of the down-sides of utilizing this solution. When users VPN into your organization via an IPsec tunnel, they essentially become a node on your network, just as if they were in the office. So your boss has legitimate reason for concern.
This being said; if you have proper NTFS and sharing permissions established on your files/folders, then as stated above, they will be treated as if they were in the office, and whatever permissions are assigned to them, should carry through.
Your other option is an SSL based VPN for your remote users. While not as versatile as IPsec, it does have it's advantages. One of which is the client does not become a "node" on your network.
Cheers.