You can exclude the manager IP addresses from being passed through the proxy, in the same place you include the subnet that will be passing through the proxy. Instead of capture, select NOT CAPTURE for them.
There doesn’t seem to be an official way to let everyone browse during lunch break, but you could try that with a script or with cron.
Yes you can also do what you say, let everyone who is connected through a tunnel browse without blacklist. Just exclude this interface-subnet from proxy service.