We are using ntlm_auth with the --require-membership-of= option to restrict user access to the squid proxy.
Although this is a works great, because nearly all our users are given Internet access, there is extra overhead of adding every user to the "Allow Internet Group". It would make sense (to me anyway) to have the inverse of this option, so as default everyone is granted access except for a --not-member-of="Deny Internet Group". This allows simpler administration of the user access group, assuming you have less users being denied Internet access.
I'll have a look at that one.