Is you user logging in? Are they using the policy you assigned them or a default policy? How would you know? The answers are in the log file.

This howto is useful and in addition to it here is what you should do.

Obtain the IP address of the workstation in question that you are testing (for this example, let's say it is 192.168.1.125)

Using PuTTY (Windows) or a Terminal (Mac, Linux) open two sessions to your server. Run the following in one session:

tail -f /var/log/dansguardian/access.log | grep 192.168.1.125

Then in the other session run:

tail -f /var/log/squid/access.log | grep 192.168.1.125

The dansguardian log will show you what policy is being applied to the URL request. The squid log will show you the username that is authenticated.

Now you can answer question number 1, "Why don't my browsers ask for authentication everytime i open them." If you see in the squid log that there is a username associated with the URL, then the answer is, because it remembered their authentication. This can happen if the browser doesn't really 'shutdown'. Windows can keep some instances of browsers running in the background even if the window is closes. Watching the log file will confirm this as the browser includes the username and authentication with each request to the proxy.

You will also be able to answer question 2, "Why when i make changes to the policy i have setup or to the web access control, nothing changes, i can still login and do whatever." The dansguardian log file will show you which policy is being applied to the user request. If it shows that the default policy is being applied then perhaps there is something going wrong with authentication or the user is not being enumerated properly from the group that you have assigned to them. Or there could be a loophole in your policy itself which lets them through (stealth mode perhaps?).

But you won't know what the situation is until you can use the log files to find out what the situation is under the hood.