Okay, so you need to also add an access-list on each subinterface to restrict traffic to only the Internet.
For example (502 is 1.1.1.0/24 and 503 is 2.2.2.0/24).
ip access-list ext internet-only
deny 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
deny 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
permit ip any any
int fa0/0
ip access-group internet-only in
int fa0/1
ip access-group internet-only in