Or you can avoid even CLR. Just remove xp_CmdShell access from the user, put the functionality into a stored procedure, use an EXECUTE as OWNER in the proc (the DB must be owned by "SA"), and grant EXECUTE privs to the proc to the user. The user can be as low as PUBLIC only privs and will be able to execute the proc but won't be able to execute xp_CmdShell directly.
--Jeff Moden
Change is inevitable... Change for the better is not.