It is possible to limit HTTP Internet access to only the Squid server without having to modify the browser settings on your client PCs. This called a transparent proxy configuration. It is usually achieved by configuring a firewall between the client PCs and the Internet to redirect all HTTP (TCP port 80) traffic to the Squid server on TCP port 3128.

Go to your fire Gateway/barbwire device and add the following rules to it.
Redirected incoming packets having as destination post 80 and not coming from Behalf so that they will go to the Behalf box.
barbwire ie:

Click to Enlarge

If your INPUT and/or OUTPUT default values are set to DROP the packets add the next rules.
barbwire ie:

Click to Enlarge
Test your settings

barbwire ie:

Click to Enlarge
Test your settings

barbwire ie:

Click to Enlarge
Test your settings

barbwire ie:

Click to Enlarge
Test your settings

barbwire ie:

Click to Enlarge
Test your settings