i don’t know much about VB…
but its UNBELIVEABLE that all the users in your company are using SAP_ALL.
the risks to this, is simply unquantifiable…
if a VB application is connecting to your SAP system to view information, like you said,
there has to be an RFC connection between both systems,
in which case the Target host and IP addresses would have to be defined in SM59…
and an appropriate system user created or setup (maybe ALEREMOTE) to be used for logon across both applications.
doin this means that setting up the Authorization Object S_RFC…under Object Class AAAB.
you will also need to re-build from scratch (define as per the business, build and implement, test, and deploy a whole new security & authorization design) for your company. this is very, very important.
make use of TX SU24 as is necessary to maintain the Transactions and Authorization Objects required by your users.
it will take a lot of effor and time as you will have to refine your design as to enable you capture for each business unit and role, only the Authorization Objects and Transaction, that they only need.