I was going to write up some of my recent experiences, but support already hit that nail on the head quite well. They have a section on WCCP and authentication in the best practices guide: Support Doc: Authentication Examples by Deployment Method. That covers the MWG configuration and the modifications needed in browsers.
Of note, there is a line on changing the authentication server to redirect to a hostname instead of the proxy IP. That simplifies management and makes things work better; you can have one entry in the browser settings instead of separate settings for each proxy IP. Also, if a user's machine is not on the domain they will be prompted by hostname, not IP, which humans seem to trust more.