All of those things should be done in addition to leaving xp_cmdshell disabled.
If those things are done there is no point of disabling xp_cmdshell.
Why do you need it? There is no need to enable it. What would you need it for if things are locked down to the point where the engine only needs to talk to the file system for writing backups, logs and trace files or other system related operations to allow the instance to function?
This conversation began discussing cross-server exchanges of data, I.e. Using xp_cmdshell to facilitate an ETL system.
__________________________________________________________________________________________________There are no special teachers of virtue, because virtue is taught by the whole community. --Plato