Use something like that:
Authentication.Authenticate<NTLM> equals false AND
Authentication.Failed equals false
It's a trick that makes authentication TRY, but if if fails, nothing will happen and no reauthentication request will be sent.
But there can be another issue. When proxy asks about authentication, browser will not try logged in credentials and will make a pop-up window for user asking him to enter credentials. This is browser side issue. No ideas about safari, not using this.
This is exactly what the try auth rulesets were designed to do. There are rulesets in the on box library under authentication.
We started configuring TRY authentication, but looking in McAfee's documentation for WCCP they recomend use Auth Server. I did not see anywhere stated that we can use Try Auth instead of Auth Server. I guess I am being extra careful not to over-complicate things or make our configuration non-standard and not supported.