1 - I really don't see why running it in a VM will help solving this specific request. As general approach VM might be OK... or not. It really depends on what you intend to achieve.
2 - Profiling you intend to apply is not that easy. If I summarize, you want:
- one group authorized to 2 URLs only.
- one group authorized to all URLs but social networks (BTW, are you able to list all these so called "social network", I mean to list URLs
)
- one group authorized to everything
This mean you need at least:
- non transparent proxy
- 3 different filter profiles
- 3 different user groups
- for the first filter profile, tick the "Block not listed domains and URLs:" checkbox and add your two URLs in the list of autorized URLs
- for the second filter profile, use default settings but add (denying) URL of social networks you want to prevent
- third one is straightforward
- be sure default behaviour is not to authorize outgoing flow...