The problem with this is, that it is also perfectly simple to un-secure your database with xp_cmdshell.
In general you should use the right tools for the right tasks.
And to use xp_cmdshell to move file handling from ASP.NET to SQL Server is the wrong decision in my opinion.
Btw, there is some useful information for those that want to secure xp_cmdshell:
http://msdn2.microsoft.com/en-us/library/aa175398(SQL.80).aspx
Best Regards,
Chris Büttner