Squid

How to set up such a feint in Squid?

The scheme is a little strange:
1. Squid serves as an Internet proxy for users on the local network and as a proxy to the corporate site for users from departments.
2. Authorization of users - by ntlm, those who are not in the domain - those by ip address.
3. There are a couple of sites (example: lex.uz) access to which should be open everywhere.
The problem is this: authorization via ntlm, but not all users in the domain have an Internet, when requesting the site lex.uz, requests are triggered for a couple of counters in GA and the local www.uz. As a result, for those who do not have the right to the Internet, each opening of a page with lex.uz asks for a login-password. When you click "cancel" of course everything goes on, but it's annoying. Pretty strong.
So far, I have dodged by putting deny on this pair of counters, but this is the wrong decision.
Tell me how to make a rule in squid so that requests to any addresses other than lex.uz, which have a referral lex.uz., are not skipped?
If the referral is not lex.uz, they are not subject to a ban.