I don't want vlan 1, 1002-1005 on that link.  It goes through an ISP hand off and I can't control what they have on their side.  For all I know those vlans could be other customers and I can't allow those vlans access for security.

I'm not aware of a way to tweak the module to operate the way you want.

A possible Workaround: Place the ISP on one of the build-in router-ports. There you can configure sub-interfaces for your four VLANs. The HWIC could then be used for your internal connection.

Both Fe's are used.  1 for one ISP and 1 for lan.

So your suggesting move that Fe0/1 (LAN) to the 4esw card and then I can use Fe0/1 with sub interfaces like I currently do today with Fe0/0 for the other ISP?

This is because we have branch offices in different territories that have different LEC's.

Just curious if this is a function of the IOS version running.  Currently running c2800nm-advipservicesk9-mz.124-25g because it does everything I need and lower memory requirements of the 15.1 train.  If I upgrade to c2800nm-advipservicesk9-mz.151-4.M7, do you think it would allow me to prune vlan 1 (and the others) off a Fa interface on a 4ESW hwic card?

Or do you think this limitation is from the traces burned into the ASIC's on the ESW card itself, in which no software could overcome?

As far as I know it's a limitation of the hardware (or the software-implementation for this hardware). I know the same behavior from 15.1 and 15.2 on ISR G2 releases.

Ok, I will mark your suggestion as the correct answer to use the built in Fa0/0 and Fa0/1 for my WAN links and use the 4ESW card for the LAN links.

Fa0/0 - Windstream VPL - 2 offices in Windstream territory (existing) (Requires 802.1q vlans as specified from us to service provider)

Fa0/1 - Verizon EVPL - 2 offices in Verizon territory (adding) (Requires 802.1q vlans as specified from service provider)

Fa0/0/0 - vlan 200 - to 4G LTE backup  for all offices (existing tunnels built)

Fa0/0/1 - Will become the new LAN (adding)