(EXIM) ACL for only allowing internal domain to send to internal group alias

If you need this only for local users then I think you should not use sender because it can be falsified without any trouble - instead you should configure SMTP auth (begin authenticators section) and next you can use something like this:

deny  recipients   = lsearch*@;/etc/exim/protected-recipients
      !authenticated = *
      message      = Sending denied - protected list - not authenticated - returned to sender
      log_message  = PROTECTED - sending denied not - authenticated - - logged to file

deny  recipients   = lsearch*@;/etc/exim/protected-recipients
      condition    = ${lookup{$authenticated_id}lsearch{/etc/exim/allowed-users}{no}{yes}}
      message      = Sending denied - protected list - no access - returned to sender
      log_message  = PROTECTED - sending denied - no access - logged to file

For recipients I use lsearch*@; so you can use both full email addresses and wilcarded like this:

[email protected]
*@protected-domain

For authenticated users you need just list it names line by line (note yes and no order in lookup).

If you need remote users too, then you can add:

accept  recipients   = lsearch*@;/etc/exim/protected-recipients
    !sender_domains = +local_domains
    condition    = ${lookup{$sender_address}lsearch{/etc/exim/allowed-users}{yes}{no}}

before first deny and list addresses one per line.