FYI: the technical terms for these are Negotiate/NTLM and
Negotiate/Kerberos. With the '/' being part of the type name, not the
usual meaning of alternative words.
...
I notice several useful things about these external_acl_type definitions:

1) that they are identical except for the "memberOf=cn=WEB_ACCESS_"
string in the LDAP query.

2) that the group name you pass the helper ("web-access-1/2/3") is
never actually used (no %g in the filter syntax).

That means you can simplify quite a lot just by passing the real group
name to the helper and using %g.

external_acl_type AD_WEB_ACCESS %LOGIN \
/usr/lib64/squid/ext_ldap_group_acl -P -R \
-b OU=USERS,DC=netgol,DC=local \
-D ldap -W "/etc/squid/ldap_pass.txt" \
-f
"(&(sAMAccountName=%u)(memberOf=cn=%g,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local))"
\
-h s-dc1.netgol.local -p 3268


acl WEB_ACCESS_1 external AD_WEB_ACCESS WEB_ACCESS_1
acl WEB_ACCESS_2 external AD_WEB_ACCESS WEB_ACCESS_2
acl WEB_ACCESS_3 external AD_WEB_ACCESS WEB_ACCESS_3



(I suspect there is something you can do to simplify the AD tree for -b
and -f LDAP parameters. But someone more familiar with LDAP syntax will
have to go over that.)
Your policy said:
"Non-authenticated clients (Win PCs) cannot navigate through the proxy."

So what you need to start with in your custom rules, is one which says
only that not-auth clients are forbidden.

acl auth proxy_auth REQUIRED
http_access deny !auth

... now to reach the below tests a client *must* be logged in. You can
safely assume that credentials are available for all tests below.


FYI: Squid will send an auth-challenge denial instead of a regular
forbid error page. If your clients are logged into AD correctly they
will authenticate transparently as you wish. If the client is *not*
logged into the domain they *might* see a popup - that has nothing to do
with Squid and can only be resolved at the browser.
Note that Squid will have already been doing this for the external
ACLs, but this is a simpler and clearer way to write the config which
also allows you to make the group checks send a hard 403 forbidden
instead of having to always allow clients to re-login.
Since none of the groups is allowed to LS_malicius you do not actually
have to know what group they are in to block that traffic.

Just use:
http_access deny LS_malicius

You can further optimize performance by placing that above the login
line. Since login is a waste of cycles if you are only going to reject.

The only reason you might want to deny here is to log which user was
trying to go there (infected?). So you need to decide if that log detail
is worth the slower performance and heavier load on AD. The performance
benefit varies by network and may be extremely small (or not) - so you
may want to experiment and measure.
Similar, but slightly different here for LS_remotecontrol.

In this case note that group #3 is about to be allowed to do anythign,
including this traffic. So you can allow them now:

http_access allow WEB_ACCESS_3

... then do the denial for the remaining groups without needing to check
which group is which.

http_access deny LS_remotecontrol

... then the regular group #1 and #2 allow.
Your policy statements do not mention anything about localhost traffic
being allowed to use the proxy. Is this something you can remove?
So to summarize, you http_access should look like this (modulo your
localhost decision):


### HTTP access control policies
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny !auth
http_access allow localhost
http_access deny LS_malicius
http_access allow WEB_ACCESS_3
http_access deny LS_remotecontrol
http_access allow WEB_ACCESS_1
http_access allow WEB_ACCESS_2
http_access deny all
In the above, you might want to add config comments for yourself
mentioning why each of the above is different from the defaults.

If they are just copy-paste from a tutorial without understanding why,
then maybe the defaults are fine for your needs.

Some of what you have above *are* the modern defaults which do not need
configuring (eg half_closed_clients, uri_whitespace, ipcache_low, maybe
coredump_dir).

Some are irrelevant. eg log_icp_queries is pointless when ICP is
disabled by default, "debug_options rotate=N" defaults to the
logfile_rotate value.

Some are intended to resolve quite specific issues which are not
relevant on most networks (eg dns_v4_first, forwarded_for,
visible_hostname, half_closed_clients) and you may actually need
different settings than people commonly paste blindly into web
tutorials. Read the docs for those options particularly the descriptions
of use-cases, caveats, and any WARNINGS / NOTICE text.


And last but not least - always run "squid -k parse" after changing
config or upgrading the proxy. Squid can detect a large number of
config problems and tells you about them, usually with instructions on
how to resolve it.


HTH
Amos