OK, for everyone who have read to this point searching for a professional advice, the bottom line is:

Disabling xp_cmdshell is a stupid idea.

It only creates obstackles for developing solutions and adds a false impression of better security.

In fact it does not add any protection.

Users which are not in systemadmin role cannot execute xp_cmdshell anyway.

Users in sysadmin role who can execute xp_cmdshell can also enable it at any time by running following code:

sp_configure 'xp_cmdshell', 1

GO

RECONFIGURE WITH OVERRIDE

GO

sp_configure can be executed by any user who can execute xp_cmdshell.

If you want to prevent SQL Server users with SA privileges from accessing server/network resourses they are not supposed to access you need to make sure that Windows User Account which starts SQL Server has only those privileges within Windows domain which are required for performing productive tasks and no more.

That is it.

Case closed.