Do I have to explicitly deny every port that is not used or can't be used such as 23, 80 (it doesnt connect to the internet but connects on a leased line) and all other well known ports?

The ACL defines what is encrypted  - so when your traffic hits the crypto map it checks the source and destination and compares it to the ACL. If it matches then it encrypts it and sends it down the tunnel. If you don't specify any specific ports in the ACL (as we haven't above) then any IP packets between those two hosts will be encrypted.

Ok, but if I use an ACL not in the crypto map just to block ports from being used at all, is there a way to do that without naming every port that must be blocked?  For example, I have an access list like the one above used for the tunnel, but then I have another one that I blocked telnet on. In that list is there a way to block all ports not used or do I need to have a command for each port I want blocked(such as POP3, HTTP, FTP, etc). Thanks for your help.

There are two ways of looking at this - just allow specific traffic i.e:

access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet

Everything else is blocked because of the implicit deny at the end of the ACL.

OR:

Block specific traffic and allow everything else:

access-list 101 deny tcp host 1.1.1.1 host 2.2.2.2 eq telnet

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2