Squid stops processing rules on the first match. If you add an account to both groups then it always matches one of 'deny' ACLs when the user tries to access a web-site from one of these categories.
Instead you can use 'allow' rules:
http_access allow NEWS rule1
http_access allow SHOPPING rule2
http_access deny all
In this case all matched are allowed and all non-matched are denied.
In order to make it more readable you can rename acls:
http_access allow group-NEWS url_regex-news
http_access allow group-SHOPPING url_regex-shopping
http_access deny all