And welcome to the NethServer community!
There are several ways to do this, the easiest would be to only allow your (Squid-) Server direct access to the Internet.
Don’t use transparent mode, but use the quite reliable WPAD function. WPAD is still activated by MS, even on the latest Win10! So no work for this!
The shortcut with this implementation: You set read rights only for that specific group, but not the other, directly on the WPAD proxy.pac file!
2) Customized Access rules for squid.
Here you’ld need to create your own squid template, using the e-smith templating function, to create your own, customized squid.conf.
Here, you’ld need to create a couple of rules in the “access” area.
For both: YMMV
My 2 cents