the most easy way is to do it with firewall...
clue is, address-list and filter, also you need to know the IP address of websites you need to allow and disallow first...
- create 2 different address-list which will contain the IP addresses of your clients, then name 'em to group_A and group_b
- create another 2 different address-list which will contain the IP address of the forbidden destination sites. name 'em to Not_For_Group_A and Not_For_group_B
/ip firewall filter
add chain=forward out-interface=[WAN] src-address-list=group_A dst-address-list=!Not_For_Group_A action=drop
add chain=forward out-interface=[WAN] src-address-list=group_B dst-address-list=!Not_For_Group_B action=drop