It’s a little bit (ok, a LOT) more nuanced than that, since the legitimate interest of the controller may not be overridden by the rights and freedoms of the subject. So to use your example, if the IP addresses in combination with the visited URLs can reveal sensitive information (for instance sexual preference or medical information), then the legitimate interest is overridden by the right of the individual to keep this data confidential.
Not always, but most of the time you do have to comply. As a controller, you can only deny such a request if " the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims"
What is your source for that? GDPR says "the obligation to erase personal data without undue delay"