"The CC defines the Protection Profile (PP) construct which allows prospective consumers or developers to create standardised sets of security requirements which will meet their needs."

"The Target of Evalution (TOE) is that part of the product or system which is subject to evalution. The TOE security threats, objectives, requirements and summary specification of security focuntions and assurance measyers together form the primary inputs to the Security Targets (ST), which is used by the evalutators as basis for evaluation"

"Evaluation
The principal inputs to evalutation are the Security Target, the set of evidence about the TOE and the TOE itself. The expected result of the evalution proecess is a conformation that the ST is satisfied for the TOE, with one or more reports documenting the evalution findings"

In short the Protection Profile defines the implementation independent set of security requirements and objectives. I think the PP used for Win2000 is "Controlled Access Protection Profile (Version 1.d)", downloadable here

"The TOE (Target of Evaluation) is the product under evaluation (Win2000+VPN?+?) and the ST (security target) contains the security objectives and requirments of a specific identified TOE and defines the functional and assurance measures offered by that TOE to meet stated requirements. The ST may claim conformance to one or more PPs and forms the basis for an evalution."

The assurance level (EALx) is the measure of "how much" assurance there exists that a TOE meets its security claims. EAL1 ("bad") ... EAL7 ("good"), see above reference.

So the real interesting parts are the Security Target and the Evaluation-report. (Then you know what you're talking about).

(Yes, my native tongue is not English)