We have an Ubuntu server running Squid, which authenticates against a Server 2008 domain for user authentication. NTLM enables silent authentication if the machine and user logged in authenticate, otherwise pops up a login window if the user logged in is not a valid user. The setup uses Group Policy to point the browser to the proxy. On a separate network, I use a proxy.pac script to setup the proxy settings in my browser. I prefer this setup, because Firefox is able to use this. Firefox ignores the Group Policy setup. Anything is really possible these days.
As mentioned above, the firewall can be set up to act as a transparent proxy.
We are using delay pools to trickle feed certain websites, block undesirable ones, and obviously as a cache. We are able to log traffic per user, hence the NTLM authentication.
Squid is best configured by hand, not GUI.