Apologies for the very late reply, Tom. Thanks for the detailed explanation about xp_CmdShell in SQl Server 2000. I knew a good amount of that but it was a great reminder for something... a lot of myths in SQL Server were once fact in previous versions. People were absolutely correct in having an almost visceral fear about xp_CmdShell in SQL Server 2000 and earlier. It's much more as of SQL Server 2005 but people still have that learned fear and have carried it forward.
I will echo one visceral fear about it, though. It's still bloody foolish to give a non-SA user the proxy privs to run it directly for many of the reasons you mentioned as to why it was a bad idea in 2000 or earlier. It is, however, super easy to give a user privs to execute a stored procedure that uses xp_CmdShell in a highly controlled manner without that user being able to use xp_CmdShell directly.
Again, thank you for the thoughtful reply and the subliminal reminder about why certain types of SQL Myths are propagated. It's been a big help.
--Jeff Moden
Change is inevitable... Change for the better is not.