xp_cmdshell should be disabled from the security risk aspect. When you have xp_cmdshell enabled you're allowing processes outside sql server to do changes to databases.
I usually do that for fast actions.
What I practice to do is when I need xp_cmdshell I enable the option, use it, and then disable. Your user must have the sysadmin privileges in order to do changes to sys.sp_configure, though.
If you need it to have enabled for a longer period, then you'd better use CLR or another alternative.
Igor Micev,My blog: www.igormicev.com