Ok, I've put back the 'bad' configuration as school hours are over and found a bad user that has no internet connection.
I made this the only user in the group (per squid.conf) and restarted the service. There was no change.
squid access.log
361443273.701 250 192.168.1.47 TCP_DENIED/403 25777 CONNECT urs.microsoft.com:443
ABC16475@ABC-ASTANA.LAN NONE/- text/html
1361443273.701 249 192.168.1.47 TCP_DENIED/403 25775 CONNECT urs.microsoft.com:443
ABCI16475@ABC-ASTANA.LAN NONE/- text/html
I also placed the user on their own line as follows:
acl grp~students proxy_auth
abc16475@QSI-ASTANA.LAN snipped from just after:
http_access allow grp~students fltr5~df~dmn17
http_access allow grp~students fltr5~df~dmn16
http_access deny grp~students fltr5~df~dmn15
http_access allow grp~students fltr5~df~dmn14
http_access allow grp~students fltr5~df~dmn13
http_access allow grp~students fltr5~df~dmn12
http_access allow grp~students fltr5~df~dmn11
http_access allow grp~students fltr5~df~dmn10
http_access allow grp~students fltr5~df~dmn9
http_access allow grp~students
Maybe of interest, dansguardian log does not register this deny.
edit: moving this user to a different acl group also changes nothing.
2nd edit:
This from syslog:
Feb 21 16:40:48 newserver smbd_audit: abc16475|192.168.1.47|connect|ok|QSI16475
Feb 21 16:40:49 newserver smbd[3381]: [2013/02/21 16:40:49.771784, 0] ../source3/auth/check_samsec.c:491(check_sam_security)
Feb 21 16:40:49 newserver smbd[3381]: check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'