[squid-users] http_access conundrum - another attempt

To all,

I made a real mess form the previous mail which I sent without any
https_access rules. Thanks Christoph. Let's try again.

I am using external authentication ldap, where on a group basis I am
blocking file extensions such as \.exe$ \.zip$ etc. Members of this
group are restricted from downloading executable and zip files.

# user base 3
acl internet_access3 external ldap_group Access-Internet
acl word-control url_regex -i "/usr/local/squid/var/word-control.tp"
acl site-control dstdomain "/usr/local/squid/var/site-control.tp"
acl download urlpath_regex \.exe$ \.zip$

http_access deny internet_access3 word-control
http_access deny internet_access3 site-control
http_access deny internet_access3 download
http_access allow internet_access3

 
Now, I have a number of users which are using client software which
needs to be regularly updated by .exe files from the internet. I would
like to allow those users to be able to access the .exe files from the
nominated sites only and being blocked from downloading .exe files from
anywhere else.

I created another group for them and tried to exclude them from the exe
ban list for the specific sites only.

acl internet_access6 external ldap_group Access-Exe-Bacs
acl exe-bacs dstdomain "/usr/local/squid/var/exe-sites.tp" - contains
.exe allowed sites only.

How do I go about allowing those users to access any site without them
being able to download those exe and zip files except for the nominated
domains??
I can either block all sites or no site at all. I am looking for
something like this

http_access deny internet_access6 word-control
http_access deny internet_access6 site-control
http_access deny internet_access6 download !exe-bacs -exception
domains???
http_access allow internet_access6

Many thanks for your help

Tomas

--
tp
PRIVACY & CONFIDENTIALITY
This e-mail is private and confidential.  If you have, or suspect you have received this message in error please notify the sender as soon as possible and remove from your system.  You may not copy, distribute or take any action in reliance on it. Thank you for your co-operation.
Please note that whilst best efforts are made, neither the company nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any).
This e-mail has been automatically scanned for viruses by MessageLabs.