Here are the relevant parts of my squid config and some examples of what are in the acl files. I downloaded the ip list from ipdeny.com. As it was, the end of line character wasn’t correct and I had to correct that before squid would read it correctly. I just copied and pasted it into a new file to correct it.
I don’t know if this is the best way to approach this, and I am sure there are some problems with it currently. I am continuing to tweak it as things come up. With all allowed domains the number of authentication pop ups I received were drastically reduced. Looking it over I already see that rearranging the allow and deny rules would be of benefit for me.
I am also using fail2ban on this server with the squid configuration file from http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Squid_filter. This does eventually block someone who gets enough TCP_DENIED 407 messages. I also had modified it to include 403 messages with some success. The amount of blocks we receive from blocking ads I would get devices locked out unintentionally but increasing the number of attempts seems to have resolved this.
squid.conf
## ACL for blocked files originally just .exe
acl blockedfiles urlpath_regex "/etc/squid/blocked.files.acl"
## ACL for blockedomains
acl blockeddomain dstdomain "/etc/squid/blocked.domains.acl"
## ACL for allowedomains
acl alloweddomain dstdomain "/etc/squid/allowed.domains.acl"
## ACL for allowed user agents
acl allowedbrowser browser "/etc/squid/allowed.browser.acl"
##Acl for Users requiring proxy authenticiation
acl password proxy_auth REQUIRED
## United States External Allowed
acl external src "/etc/squid/us.zone"
## Internal Networks
acl internal src "/etc/squid/local.zone"
##Allow access from the admwired network defined above without authentication
http_access allow internal
##Block the following based on acl defined above
http_access allow alloweddomain
http_access deny blockedfiles
http_access deny blockeddomain
http_access deny !allowedbrowser
##Allow access from all networks but require authentication
http_access deny !password
http_access allow external password
#And finally deny all other access to this proxy
http_access deny all
allowed.browser.acl
^.*iPad.*$
blocked.files.acl
\.[Ee][Xx][Ee]$
us.zone
103.246.248.0/24
113.29.0.0/17
163.60.0.0/16
192.103.43.0/24
202.72.96.0/20
203.144.48.0/20
203.187.128.0/19
3.0.0.0/8
4.0.0.0/8
6.0.0.0/8
7.0.0.0/8
8.0.0.0/8
9.0.0.0/8
11.0.0.0/8
12.0.0.0/8
13.0.0.0/8
etc…..
allowed.domains.acl
.apple.com
.mzstatic.com
.appextras.com
.google.com
.facebook.com
.gstatic.com
.amazonaws.com
.bloxcms.com
.lyveapps.com
.doubleclick.net
.googleusercontent.com
.2mdn.net
.admob.com
.mopub.com
.googletagservices.com
.quantserve.com
.exelator.com
.facebook.net
.google-analytics.com
.googleadservices.com
.scorecardresearch.com
.qwapi.com
.appspot.com
.mobclix.com
.crashlytics.com
.mm.bing.net
.verisign.com
plus some more for specific ipad apps that I had to allow