Allowing or denying access based on a username or group requires 2 components :

• A web authentication layer with a rule that performs authentication against a predefined realm
• A web access layer specifying the username or group as the source, and the desired action

To learn how to configure authentication, 000011213 is a great place to start. Once that is configured, it's simply a matter of creating a Web Access layer and adding rules that allow or deny sites or categories, and set a user or user group as the source for those rules so that they only apply to the right user(s).