Hi
Assuming the vlan interface for the isolated vlan is on the 4006 you need to create an access-list that denies traffic from any other vlan in your network and then permits from any other ie. the Internet
So lets assume you have 3 other subnets on your 4006
192.168.5.0/24
192.168.6.0/24
192.168.7.0/24
The isolated subnet is
192.168.8.0/24
Also lets assume the isolated vlan interface is vlan 10
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 101 permit ip any 192.168.8.0 0.0.0.255
access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 permit 192.168.8.0 0.0.0.255 any
interface vlan 10
ip access-group 101 out
ip access-group 102 in
HTH
Jon