Где поставить ACL в SQUID

Встала необходимость придушить у пары-тройки хостов аську. Но вот куда я только не ставил acl для блокирования, ничего не помогает, грешу на две строчки:
acl Safe_ports port 80 21 443 563 70 210 1025-65535
http_access deny !Safe_ports
Но они нужны безоговорочно, потому как около 100 хостам разрешается пользоваться аськой. Выношу свой конфиг в студию, чтобы было относительно понятно:
http_port 3128
icp_port 0
mcast_groups none
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log off
log_ip_on_direct on
mime_table /etc/squid/mime.conf
log_mime_hdrs off
pid_filename /var/run/squid.pid
log_fqdn off
client_netmask 255.255.255.255
ftp_user Squid@mdi.ru
ftp_passive on
auth_param ntlm program /usr/lib/squid/ntlm_auth ADMDI\\beta
auth_param ntlm children 500
auth_param ntlm max_challenge_reuses 0
wais_relay_port 0
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
negative_ttl 5 minutes
positive_dns_ttl 6 hours
client_lifetime 3 day
half_closed_clients off
acl admdi proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
http_access allow admdi
http_access deny all
acl SSL_ports port 443 563 5190
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl ban206 src 192.168.2.206/255.255.255.255
acl ICQ_DOMAIN  dstdomain       icq.com aol.com login.icq.com
acl ICQ_ADDR    dst             64.12.0.0/16 205.188.0.0/16
acl ICQ_PORT    port            5190
acl ICQ_PROTO   proto           HTTPS
acl CONNECT method CONNECT
delay_pools 1
delay_class 1 1
delay_access 1 allow ban206
delay_access 1 deny all
delay_parameters 1 800/800
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny ban206 ICQ_ADDR ICQ_PORT ICQ_PROTO CONNECT
cache_mgr master@mdi.ru
cache_effective_user squid
visible_hostname omega
logfile_rotate 2
error_directory /usr/lib/squid/errors/Russian-1251
coredump_dir /var/spool/squid
ie_refresh on