Ok, Orlando... I'd really be interested in how that bit of fine code could be modified to reject usage of cmd.exe by a given user because I just saw a video of a hacker making his way to the registry and undoing some supposedly safe methods.
http://www.securitytube.net/video/653
He used VBA but he could have just as easily been in SQL Server as an "SA" to sp_regwrite to do the same thing. That means his attack software would take 3ms to try turning xp_CmdShell on and going to the command prompt and maybe another 4ms for his attack software to recognize the failed attempt and make a trip to the registry to correct the "problem" so that he could get to the cmd.exe program using xp_CmdShell.
It also turns out that this supposedly safe method has some pretty nasty caveats for us users...
Your method (the code you posted in the post above this one) seems like it might be better if you could demo how to reject usage attempts.
Still, it seems that a determined hacker that can get to the registry through SQL Server can find and undo just about anything. If you want to prevent someone from using the command line from SQL Server, merely turning off xp_CmdShell seems like pissing on a forest fire. The real key is to keep people from getting in as "SA".
--Jeff Moden
Change is inevitable... Change for the better is not.