do you already have authentication/authorization set up? It seems that MWG is generally able to talk to the Domain Controller, which is good. As the next step you have to tell MWG to authenticate users when they want to browse. To do so import the "Direct Proxy Authentication" rule set (or one of the other authentication rule sets if required) into your policy.
Modify the rule set to use your NTLM Authentication setting, instead of user-database. When you now save the policy MWG will ask users to authenticate. If this works fine and you see usernames in the access.log you can start building rules that are based on usernames or group memberships.
The properties you will most likely use are Authentication.Username and Authentication.UserGroups.
To apply different Quota Settings based on Group Memberships you could import the example quota rule set three times and add a criteria "Authentication.UserGroups contains Web30mins" for the 30 minutes group, and so on. Now users will jump into different rule sets for quota depending on their group membership.
This is just a very high level approach, but maybe it gives you some ideas.