Is there a way to obtain the desired outcome without having to make the Zentyal server a DC?
Sure
there are two different concepts and unless you are looking for SSO which would rely on Kerberos that is tightly linking to DC in Zentyal implementation, there is no link between proxy and DC.
In order to enforce prompt for credential while using proxy, you must:
- use explicit proxy (authentication doesn't work with transparent proxy)
- configure rules that will grant access only to authenticated users, adding group membership control if needed.
The way these rules are configured slightly differs between Zentyal 2.x and 3.x but at the end, same principle remains: authentication internet access through explicit proxy should be granted only to authenticated users... et voilĂ
Notice that this has nothing to do with filtering