There is a new Sql Server Security best practices white paper.

Nothing specific on SqlXml/ HTTP access (yet) – but definitely worth a read.  And I was able to peruse the entire paper while listening to the 23 minute version of “Whole Lotta Love” on the “new” Led Zepplin live album (which is quite good).