Deleted testuser from passwd file but squid still allows connections
 

I deleted a user from my squid_passwd file.
Restarted my browser and on the next connection, squid requested the password. However, it still allowed me in even though the user name testuser wasn't in the password file?

I tried with a fake user called fakeuser at the browser prompt and that denied me so the ncsa_auth must be working.

Any ideas as to what could be wrong?

On a related note on existingt connections, if the user is removed from the password file, shouldn't squid reauthenticate or does it only do that when the session is lost?

Did you restart squid ?

No - would be pointless to restart squid every time you added a user or deleted one as that would affect all the existing users:
According to the squid user group it seems this affects the user cache auth schemes and I probably need to uncomment it in the conf and then restart.
However, I am not sure whether that means the user is asked for the user password every 2 hours or whether it is only since the last request.