I've actually just about solved this. It was due to me being lazy and adding the acls to the very end of the file, hence the deny all in the acl section was running before my allow. Using the config example from the squid site I have resolved this. The only disappointment now is that it won't work with transparent redirection. This means I've got to find out how to implement a group policy for firefox which seems to be difficult if not impossible. Thanks Matt