we use subnets or list of trusted IPs to identify systems without authentication. I guess authentication can not be done via NTLM/Kerberos for such non-domain PCs and proxy will use Basic authentication method so browser will display login dialog.
So, you can use "Client.IP is in range" or "Client.IP is in list" rule with stop ruleset action to bypass authentication.
You would need to use Try-Auth which is available in the ruleset library. This would only work for windows machines hitting the mwg over direct proxy. Mac or other devices would prompt because that's what they do